[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fspx0AIYkNMfTHTXfNwjJAn_y5UNvdl4GUHkj304l39A":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-2481","beaver-builder-page-builder-drag-and-drop-website-builder-authenticated-author-stored-cross-site-scripting-via-settingsj","Beaver Builder Page Builder – Drag and Drop Website Builder \u003C= 2.10.1.1 - Authenticated (Author+) Stored Cross-Site Scripting via 'settings[js]'","The Beaver Builder Page Builder – Drag and Drop Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'settings[js]' parameter in versions up to, and including, 2.10.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","beaver-builder-lite-version",null,"\u003C=2.10.1.1","2.10.1.2","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-07 22:31:55","2026-04-08 11:17:26",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F5b15575f-0638-40ec-b152-20ba2225a725?source=api-prod",1,[22,23,24,25,26,27,28,29],"changelog.txt","classes\u002Fclass-fl-builder-admin-advanced.php","classes\u002Fclass-fl-builder-art.php","classes\u002Fclass-fl-builder-compatibility.php","classes\u002Fclass-fl-builder-css.php","classes\u002Fclass-fl-builder-filesystem.php","classes\u002Fclass-fl-builder-loader.php","classes\u002Fclass-fl-builder-loop.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-2481 (Beaver Builder Stored XSS)\n\n## 1. Vulnerability Summary\nThe **Beaver Builder Page Builder** plugin (versions \u003C= 2.10.1.1) contains a stored cross-site scripting (XSS) vulnerability. The vulnerability exists in the handling of the `settings[js]` parameter when saving node or layout settings. While Beaver Builder allows administrators to add custom JavaScript to pages, it fails to verify if the user performing the save operation has the `unfiltered_html` capability. Consequently, an authenticated user with **Author-level** access (who typically lacks `unfiltered_html` on a standard WordPress install) can inject and save arbitrary JavaScript that executes whenever the affected page is rendered.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `wp-admin\u002Fadmin-ajax.php`\n- **AJAX Action:** `fl_builder_save_node_settings` or `fl_builder_save_layout_settings` (handled by `FLBuilderAjax`).\n- **Vulnerable Parameter:** `settings[js]`\n- **Authentication Required:** Authenticated user with at least **Author** permissions. Authors can edit their own posts and use the Beaver Builder interface.\n- **Preconditions:** The Beaver Builder editor must be active for a post owned by the attacker.\n\n## 3. Code Flow\n1.  The attacker (Author) opens a post in the Beaver Builder editor.\n2.  The editor interface sends an AJAX request to `admin-ajax.php` with the action `fl_builder_save_node_settings`.\n3.  The request is routed to `FLBuilderAjax::save_node_settings()` in `classes\u002Fclass-fl-builder-ajax.php`.\n4.  This function retrieves the `settings` array from the `$_POST` superglobal.\n5.  The settings are passed to `FLBuilderModel::save_node_settings()` (in `classes\u002Fclass-fl-builder-model.php`).\n6.  The plugin fails to sanitize the `js` key within the `settings` array for users lacking the `unfiltered_html` capability.\n7.  The malicious payload is stored in the post's metadata (serialized in `_fl_builder_data`).\n8.  When any user (including an Administrator) views the page, `FLBuilder::render_nodes()` is called, which eventually outputs the content of the `js` setting inside a `\u003Cscript>` block on the frontend.\n\n## 4. Nonce Acquisition Strategy\nBeaver Builder heavily relies on nonces for its AJAX operations. The nonce is localized in the frontend editor.\n\n- **Localization Variable:** `FLBuilderConfig`\n- **Nonce Key:** `nonce`\n- **Strategy:**\n    1.  Create or identify a post owned by the Author.\n    2.  Ensure Beaver Builder is enabled for that post.\n    3.  Navigate to the post's frontend with the Beaver Builder editor active (usually by appending `?fl_builder` to the URL).\n    4.  Use `browser_eval` to extract the nonce.\n\n```javascript\n\u002F\u002F Extraction via browser_eval\nwindow.FLBuilderConfig?.nonce\n```\n\n## 5. Exploitation Strategy\n\n### Step 1: Authentication & Setup\n1.  Authenticate as an **Author** user.\n2.  Identify a post ID (`TARGET_POST_ID`) that the Author can edit.\n3.  Ensure Beaver Builder is active for this post: `wp beaver edit TARGET_POST_ID` (or via standard UI).\n\n### Step 2: Extract Nonce and Node ID\n1.  Navigate to the editor: `browser_navigate(TARGET_URL + \"?fl_builder\")`.\n2.  Extract the AJAX nonce: `browser_eval(\"window.FLBuilderConfig.nonce\")`.\n3.  Extract a valid Node ID (the ID of a row or module on the page): `browser_eval(\"window.FLBuilderConfig.nodes[Object.keys(window.FLBuilderConfig.nodes)[0]].node_id\")`.\n\n### Step 3: Inject XSS Payload\nSend the malicious AJAX request to save the settings for the identified node.\n\n- **Tool:** `http_request`\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method:** `POST`\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body:**\n```text\naction=fl_builder_save_node_settings\n&node_id=TARGET_NODE_ID\n&node_type=module\n&settings[js]=alert(document.domain)\n&fl_builder_confirm_save=true\n&nonce=EXTRACTED_NONCE\n```\n\n### Step 4: Verification\n1.  Navigate to the public view of the page (without the builder active).\n2.  The script `alert(document.domain)` should execute.\n\n## 6. Test Data Setup\n1.  **Attacker User:** Create a user with the `author` role.\n2.  **Target Post:** Create a post titled \"XSS Test\" assigned to the Author.\n3.  **Plugin Config:** Ensure the \"Code Settings\" are enabled in Beaver Builder Advanced settings (this is the default state).\n    - `wp option update _fl_builder_advanced_settings '{\"node_code\":\"1\"}' --format=json`\n\n## 7. Expected Results\n- The AJAX response should return a JSON object indicating success (usually `{\"success\": true}`).\n- When viewing the post source, the string `alert(document.domain)` should be visible inside a script block generated by Beaver Builder, typically associated with the specific node.\n\n## 8. Verification Steps (Post-Exploit)\nCheck the database to confirm the payload is stored in the `_fl_builder_data` meta field:\n```bash\nwp post meta get \u003CTARGET_POST_ID> _fl_builder_data\n```\nVerify the output contains the injected string: `s:2:\"js\";s:21:\"alert(document.domain)\";`.\n\n## 9. Alternative Approaches\nIf `fl_builder_save_node_settings` is not the specific vulnerable path, try `fl_builder_save_layout_settings`. This action saves settings for the entire layout.\n\n**Alternative Body:**\n```text\naction=fl_builder_save_layout_settings\n&settings[js]=console.log('XSS_SUCCESS')\n&nonce=EXTRACTED_NONCE\n```\nThe \"Layout Settings\" JS is often rendered globally for the post, making it a reliable target for XSS that survives node deletions.","The Beaver Builder Page Builder plugin (\u003C= 2.10.1.1) is vulnerable to Stored Cross-Site Scripting because it fails to perform capability checks (such as 'unfiltered_html' or 'unrestricted_editing') when saving JavaScript settings for nodes or layouts. This allows authenticated users with Author-level access to inject arbitrary scripts via the 'settings[js]' parameter, which execute whenever a user views the compromised page.","\u002F\u002F In classes\u002Fclass-fl-builder-model.php (inferred from research plan and patch logic)\n\u002F\u002F The plugin processes node settings without verifying if the user has permissions to save raw JavaScript.\n\n$settings = $_POST['settings'];\n\nif ( isset( $settings['js'] ) ) {\n    \u002F\u002F Vulnerable: The 'js' field is saved to post meta without checking for 'unfiltered_html' capability.\n    $node_settings->js = $settings['js'];\n}\n\n\u002F\u002F --- \n\n\u002F\u002F In classes\u002Fclass-fl-builder-ajax.php\n\u002F\u002F save_node_settings() and save_layout_settings() receive user input directly\n\npublic static function save_node_settings() {\n    $node_id  = sanitize_text_field( $_POST['node_id'] );\n    $settings = $_POST['settings']; \u002F\u002F settings array containing 'js' key is passed to the model\n\n    FLBuilderModel::save_node_settings( $node_id, $settings );\n    \u002F\u002F ...\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbeaver-builder-lite-version\u002F2.10.0.6\u002Fchangelog.txt \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbeaver-builder-lite-version\u002F2.10.1.2\u002Fchangelog.txt\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbeaver-builder-lite-version\u002F2.10.0.6\u002Fchangelog.txt\t2026-02-02 16:51:30.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbeaver-builder-lite-version\u002F2.10.1.2\u002Fchangelog.txt\t2026-03-12 18:21:26.000000000 +0000\n@@ -1,10 +1,81 @@\n+\u003Ch4>2.10.1.2 - 03\u002F12\u002F2026\u003C\u002Fh4>\n+\u003Cp>\u003Cstrong>Hotfix\u003C\u002Fstrong>\u003C\u002Fp>\n+\u003Cul>\n+\t\u003Cli>Security: Check if user has unrestricted_editing before allowing JS to be changed (#4882)\u003C\u002Fli>\n+\t\u003Cli>Fixed row link color overriding menu module link color (#4866)\u003C\u002Fli>\n+\t\u003Cli>Fixed template views with duplicate handles overwriting each other in the Templates tab (#4889)\u003C\u002Fli>\n+\t\u003Cli>Loop Module: Fixed issues with pagination on Themer layout or when using Relationship as a source (#4641)\u003C\u002Fli>\n+\t\u003Cli>Fixed compatibility issue with Cookiebot plugin (#4904)\u003C\u002Fli>\n+\t\u003Cli>Components: Fixed nested component settings showing all fields when opened from the Outline Panel (#4906)\u003C\u002Fli>\n+\t\u003Cli>Box Module: Fixed min-width causing child boxes to overlap in some flex row layouts (#4911)\u003C\u002Fli>\n+\t\u003Cli>Video module: Fixed autoplay issues when Assistant plugin is active (#4935)\u003C\u002Fli>\n+\u003C\u002Ful>","The exploit target the AJAX actions used by Beaver Builder to save layout or node configurations. \n\n1. Authentication: The attacker authenticates as a user with Author-level permissions or higher who has permission to edit a specific post using Beaver Builder.\n2. Nonce Extraction: The attacker navigates to the Beaver Builder editor interface for their post (e.g., `?fl_builder`) and extracts the `nonce` from the localized `FLBuilderConfig.nonce` JavaScript object.\n3. Payload Delivery: The attacker sends a POST request to `wp-admin\u002Fadmin-ajax.php` with the action `fl_builder_save_node_settings` (or `fl_builder_save_layout_settings`). \n4. Parameters: The request must include the extracted `nonce`, a valid `node_id`, and a `settings` array where the `js` key contains the malicious payload (e.g., `settings[js]=alert(document.domain)`).\n5. Execution: Because the plugin does not verify the `unfiltered_html` capability for this specific field, the script is saved into the post's `_fl_builder_data` metadata. The script will execute in the browser of any user (including administrators) who subsequently views the published page.","gemini-3-flash-preview","2026-04-17 20:23:52","2026-04-17 20:24:12",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","2.10.0.6","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbeaver-builder-lite-version\u002Ftags\u002F2.10.0.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbeaver-builder-lite-version.2.10.0.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbeaver-builder-lite-version\u002Ftags\u002F2.10.1.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbeaver-builder-lite-version.2.10.1.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbeaver-builder-lite-version\u002Ftags"]