CVE-2026-3895
Stored XSS in WPBakery Page Builder Addons by Livemesh
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| livemesh | wpbakery_page_builder_addons | to 3.9.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The WPBakery Page Builder Addons by Livemesh plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in its `lvca_admin_ajax` AJAX action. This vulnerability exists in all versions up to and including 3.9.4 because the plugin does not properly check user permissions and fails to sanitize input sufficiently.
Although the AJAX handler verifies a nonce, it does not verify the user's capabilities, allowing authenticated users with Subscriber-level access or higher to exploit this flaw.
Attackers can modify plugin settings and inject malicious scripts that execute when administrators access the plugin settings page or when any user visits the frontend.
How can this vulnerability impact me? :
This vulnerability allows attackers with low-level authenticated access (Subscriber or above) to inject malicious scripts into the plugin settings.
These scripts can execute in the context of administrators visiting the plugin settings page or any user visiting the frontend, potentially leading to unauthorized actions, data theft, or session hijacking.
Because the vulnerability involves Stored Cross-Site Scripting, the malicious code persists and can affect multiple users, increasing the risk and impact.