CVE-2026-24594
BaseFortify
Publication date: 2026-01-23
Last updated on: 2026-04-28
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| livemesh | addons-for-wpbakery-page-builder | to 3.9.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-24594 is a Cross Site Scripting (XSS) vulnerability in the WordPress plugin 'Livemesh Addons for WPBakery Page Builder' versions up to 3.9.4. It allows an attacker to inject malicious scripts into web pages generated by the plugin. Exploitation requires a privileged user (Editor or Developer) to interact with a malicious link, page, or form, which then causes the malicious script to execute when other site visitors access the compromised content. [1]
How can this vulnerability impact me? :
If exploited, this vulnerability can allow attackers to execute malicious scripts on your website, potentially leading to unauthorized redirects, display of unwanted advertisements, or other harmful HTML payloads. This can compromise the integrity and trustworthiness of your site, affect user experience, and possibly lead to further attacks. However, exploitation risk is low because it requires interaction by a privileged user. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves monitoring for suspicious activity by privileged users (Editors or Developers) interacting with the Livemesh Addons for WPBakery Page Builder plugin (version <= 3.9.4). Since exploitation requires user interaction with crafted pages or malicious links, you can check web server logs for unusual requests or payloads targeting this plugin. Additionally, scanning the website for injected scripts or unexpected HTML payloads in pages generated by the plugin may help. There are no specific commands provided for detection. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting privileged user roles (Editor or Developer) from interacting with untrusted content or links, educating users about the risk of clicking unknown links, and monitoring for suspicious activity. Since no official fix or patched version is currently available, consider disabling or limiting use of the Livemesh Addons for WPBakery Page Builder plugin until a patch is released. [1]