Arbitrary Web Script Injection Vulnerability in Beaver Builder
CVE-2024-7895

5.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Beaver Builder – WordPress Page Builder
Vendor: CVE Published:; 29 August 2024

Summary

The Beaver Builder – WordPress Page Builder plugin is affected by a Stored Cross-Site Scripting (XSS) vulnerability that arises from inadequate sanitation of user inputs and failure to properly escape outputs. This vulnerability affects all versions up to 2.8.3.5 and allows authenticated users with Contributor-level privileges or higher to inject arbitrary scripts into the web pages created using the plugin. Consequently, these scripts execute whenever a visitor accesses the affected page, potentially compromising the security and integrity of the site. Proper input handling and output encoding mechanisms are essential to mitigate this type of vulnerability.

Affected Version(s)

Beaver Builder – WordPress Page Builder * <= 2.8.3.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/beaver-builder...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Aug 29, 2024
Vulnerability Reserved
Aug 16, 2024

Credit

D.Sim