Stored Cross-Site Scripting in Beaver Builder Plugin for WordPress
CVE-2024-9505

5.4MEDIUM

Key Information:

Vendor
Fastlinemedia
Status
Beaver Builder
Vendor
CVE Published:
29 October 2024

Summary

The Beaver Builder Plugin for WordPress contains a vulnerability that allows for Stored Cross-Site Scripting (XSS) through its Button widget. This issue arises from inadequate input sanitization and output escaping of user-supplied attributes. Authenticated users with contributor-level access and higher can exploit this vulnerability to inject arbitrary web scripts into pages. These scripts will execute whenever a user accesses an affected page, potentially leading to unauthorized actions or data exposure. All versions up to and including 2.8.4.2 are susceptible to this vulnerability, thus posing a significant risk to the security integrity of WordPress sites utilizing this plugin.

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://wordpress.org/plugins/beaver-builder-lite-version...
https://plugins.trac.wordpress.org/changeset/3177345/

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

Collectors

NVD Database
.