CVE-2026-3897

EPSS 0.22%
Veröffentlicht 27.05.2026 06:46:16
Zuletzt bearbeitet 27.05.2026 14:50:47
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

Livemesh Addons for Beaver Builder <= 3.9.2 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Missing Authorization

The Livemesh Addons for Beaver Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `labb_admin_ajax` AJAX action in all versions up to, and including, 3.9.2 due to missing authorization checks and insufficient input sanitization. The AJAX handler verifies a nonce but does not check user capabilities. This makes it possible for authenticated attackers with Subscriber-level access and above to modify plugin settings and inject malicious scripts that execute when administrators access the plugin settings page or when any user visits the frontend.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 7

CNA 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellerlivemesh

≫

Produkt Livemesh Addons for Beaver Builder

Default Statusunaffected

Version <= 3.9.2

Version 0

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.22%	0.126

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@wordfence.com	6.4	3.1	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://www.wordfence.com/threat-intel/vulnerabilities/id/8bc41c61-1d8a-445f-bd70-3b14a40c89d4?source=cve

https://plugins.trac.wordpress.org/browser/addons-for-beaver-builder/tags/3.9.2/admin/admin-ajax.php#L64

https://plugins.trac.wordpress.org/browser/addons-for-beaver-builder/tags/3.9.2/includes/helper-functions.php#L248

https://plugins.trac.wordpress.org/browser/addons-for-beaver-builder/tags/3.9.2/admin/views/settings.php#L137

https://nvd.nist.gov/vuln/detail/CVE-2026-3897

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-3897

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-3897

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-3897