CVE-2026-24594
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-23

Last updated on: 2026-04-28

Assigner: Patchstack

Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in livemesh Livemesh Addons for WPBakery Page Builder addons-for-visual-composer allows Stored XSS.This issue affects Livemesh Addons for WPBakery Page Builder: from n/a through <= 3.9.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-23
Last Modified
2026-04-28
Generated
2026-06-16
AI Q&A
2026-01-23
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24594
EUVD
EUVD-2026-4253
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
livemesh addons-for-wpbakery-page-builder to 3.9.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-24594 is a Cross Site Scripting (XSS) vulnerability in the WordPress plugin 'Livemesh Addons for WPBakery Page Builder' versions up to 3.9.4. It allows an attacker to inject malicious scripts into web pages generated by the plugin. Exploitation requires a privileged user (Editor or Developer) to interact with a malicious link, page, or form, which then causes the malicious script to execute when other site visitors access the compromised content. [1]

Impact Analysis

If exploited, this vulnerability can allow attackers to execute malicious scripts on your website, potentially leading to unauthorized redirects, display of unwanted advertisements, or other harmful HTML payloads. This can compromise the integrity and trustworthiness of your site, affect user experience, and possibly lead to further attacks. However, exploitation risk is low because it requires interaction by a privileged user. [1]

Detection Guidance

Detection involves monitoring for suspicious activity by privileged users (Editors or Developers) interacting with the Livemesh Addons for WPBakery Page Builder plugin (version <= 3.9.4). Since exploitation requires user interaction with crafted pages or malicious links, you can check web server logs for unusual requests or payloads targeting this plugin. Additionally, scanning the website for injected scripts or unexpected HTML payloads in pages generated by the plugin may help. There are no specific commands provided for detection. [1]

Mitigation Strategies

Immediate mitigation steps include restricting privileged user roles (Editor or Developer) from interacting with untrusted content or links, educating users about the risk of clicking unknown links, and monitoring for suspicious activity. Since no official fix or patched version is currently available, consider disabling or limiting use of the Livemesh Addons for WPBakery Page Builder plugin until a patch is released. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24594. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart