CVE-2026-1231
Awaiting Analysis Awaiting Analysis - Queue
Stored XSS in Beaver Builder Plugin via js Global Settings

Publication date: 2026-02-11

Last updated on: 2026-02-11

Assigner: Wordfence

Description
The Beaver Builder Page Builder – Drag and Drop Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `js` Global Settings parameter in all versions up to, and including, 2.10.0.5 due to missing capability checks on save_global_settings() function and insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Custom-level access and above who have been granted beaver builder access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-11
Last Modified
2026-02-11
Generated
2026-06-16
AI Q&A
2026-02-11
EPSS Evaluated
2026-06-15
NVD
CVE-2026-1231
EUVD
EUVD-2026-5949
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
beaver_builder beaver_builder to 2.10.0.5 (inc)
beaver_builder beaver_builder 2.9.4.2
beaver_builder beaver_builder_lite 2.9.4.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Beaver Builder Page Builder plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in all versions up to and including 2.10.0.5. This vulnerability arises because the plugin's save_global_settings() function lacks proper capability checks and does not sufficiently sanitize or escape input and output related to the `js` Global Settings parameter.

As a result, authenticated users with Custom-level access or higher who have been granted access to Beaver Builder can inject arbitrary web scripts into pages. These scripts execute whenever any user accesses the affected page, potentially compromising user security.

Impact Analysis

This vulnerability allows attackers with certain authenticated access to inject malicious scripts into pages built with Beaver Builder. The impact includes:

  • Execution of arbitrary JavaScript code in the context of users visiting the infected pages.
  • Potential theft of user session cookies, leading to account hijacking.
  • Defacement or manipulation of website content.
  • Phishing attacks by injecting fake login forms or misleading content.
  • Compromise of user data confidentiality and integrity.
Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

The vulnerability affects all versions of the Beaver Builder Page Builder plugin up to and including 2.10.0.5. It allows authenticated users with Custom-level access or higher who have Beaver Builder access to inject arbitrary scripts via the js Global Settings parameter due to missing capability checks and insufficient input sanitization.

Immediate mitigation steps include:

  • Restrict Beaver Builder access only to trusted users with appropriate permissions.
  • Update the Beaver Builder plugin to a version later than 2.10.0.5 where this vulnerability is fixed.
  • Review and audit user roles and capabilities to ensure no unauthorized users have access to Beaver Builder features.
  • Monitor and restrict the use of the save_global_settings() function or any interface that allows modification of the js Global Settings parameter.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1231. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart