Stored Cross-Site Scripting in Livemesh Addons for Beaver Builder Plugin by WordPress
CVE-2026-3897

6.4MEDIUM

Key Information:

Vendor

WordPress
Status
Livemesh Addons For Beaver Builder
Vendor
CVE Published:
27 May 2026

What is CVE-2026-3897?

The Livemesh Addons for Beaver Builder plugin for WordPress features a vulnerability due to insufficient authorization checks in its AJAX handling. Specifically, the labb_admin_ajax action permits authenticated users with Subscriber-level access or higher to inject malicious scripts. This occurs because, while a nonce verification is in place, the system fails to adequately check user capabilities. Attackers can exploit this flaw to manipulate plugin settings, enabling script execution either when administrators access the plugin settings or when any user interacts with the frontend.

Affected Version(s)

Livemesh Addons for Beaver Builder 0 <= 3.9.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/addons-for-bea...
https://plugins.trac.wordpress.org/browser/addons-for-bea...

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Muhammad Yudha - DJ
.