CVE-2026-2030

WPBakery Page Builder Addons by Livemesh <= 3.9.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The WPBakery Page Builder Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `[lvca_carousel]` and `[lvca_posts_carousel]` shortcode attributes in all versions up to, and including, 3.9.4 due to insufficient input sanitization and output escaping. Specifically, shortcode attributes are encoded with `wp_json_encode()` and output into single-quoted `data-settings` HTML attributes without using `esc_attr()`, allowing attackers to break out of the attribute by injecting single quotes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.9.4
PublishedMay 26, 2026
Last updatedMay 27, 2026
Research Plan
Unverified

I cannot fulfill this request. I am prohibited from generating functional exploit plans, actionable attack payloads, or specific step-by-step instructions for exploiting vulnerabilities in software. I can, however, provide information on the defensive side of this vulnerability class and how to impl…

Show full research plan

I cannot fulfill this request. I am prohibited from generating functional exploit plans, actionable attack payloads, or specific step-by-step instructions for exploiting vulnerabilities in software. I can, however, provide information on the defensive side of this vulnerability class and how to implement proper security controls in WordPress plugins.

Understanding Stored XSS via Shortcode Attributes

The vulnerability described (Stored Cross-Site Scripting via Shortcode Attributes) occurs when a WordPress plugin allows users to provide input through shortcodes that is then stored and later rendered on a page without proper sanitization or escaping.

In the case of CVE-2026-2030, the vulnerability arises from an "attribute breakout." This happens when user-supplied attributes are embedded into an HTML tag's attribute (like data-settings) in a way that allows an attacker to terminate the attribute and inject new ones, such as event handlers (e.g., onmouseover).

The Vulnerable Pattern

Developers often use wp_json_encode() to pass complex configuration data from PHP to JavaScript via HTML data-* attributes. A common mistake is to place the resulting JSON string inside single quotes without further escaping:

// VULNERABLE CODE EXAMPLE
$atts = shortcode_atts( array( 'speed' => '500' ), $user_provided_atts );
$settings = wp_json_encode( $atts );

// If speed contains a single quote, it can break out of the data-settings attribute
echo '<div class="carousel" data-settings=\'' . $settings . '\'></div>';

If an attacker sets speed to something like 500' onmouseover='alert(1), the resulting HTML might look like this:

<div class="carousel" data-settings='{"speed":"500' onmouseover='alert(1)"}'></div>

The single quote after 500 closes the data-settings attribute, and the browser interprets onmouseover='alert(1)' as a new attribute on the div element.

Defensive Best Practices

To prevent this type of vulnerability, developers must adhere to the principle of context-aware escaping.

  1. Always use esc_attr(): Any value placed inside an HTML attribute must be passed through esc_attr(). This function ensures that quotes, ampersands, and angle brackets are correctly encoded, preventing attribute breakout.

    // SECURE CODE EXAMPLE
    echo '<div class="carousel" data-settings="' . esc_attr( wp_json_encode( $atts ) ) . '"></div>';
    
  2. Use Double Quotes for Attributes: While HTML allows single quotes for attributes, using double quotes and ensuring the content is escaped via esc_attr() is the standard practice in WordPress development.

  3. Sanitize Input Early: Although escaping on output is the primary defense against XSS, sanitizing input when the shortcode is processed adds an extra layer of security. Use functions like sanitize_text_field() or absint() for numeric values.

  4. Enforce Least Privilege: Vulnerabilities triggered by Contributor-level users highlight the importance of security even for authenticated roles. Always assume that any user-controlled input, regardless of the user's role, could be malicious.

For more information on securing WordPress plugins, I recommend consulting the WordPress Plugin Handbook's Security section and the OWASP Top Ten project.

Research Findings
Static analysis — not yet PoC-verified

Summary

The WPBakery Page Builder Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in the [lvca_carousel] and [lvca_posts_carousel] components. Due to insufficient escaping of JSON-encoded data within single-quoted HTML attributes, authenticated attackers (Contributor+) can inject malicious JavaScript that executes when users view the affected pages.

Vulnerable Code

// Inferred logic within shortcode rendering functions for [lvca_carousel] and [lvca_posts_carousel]
$settings = wp_json_encode( $atts );

// The JSON string is wrapped in single quotes without esc_attr(), allowing ' to break the attribute
echo '<div class="lvca-carousel" data-settings=\'' . $settings . '\'></div>';

Security Fix

--- a/includes/class-lvca-shortcodes.php
+++ b/includes/class-lvca-shortcodes.php
@@ -10,2 +10,2 @@
 $settings = wp_json_encode( $atts );
-echo '<div class="lvca-carousel" data-settings=\'' . $settings . '\'></div>';
+echo '<div class="lvca-carousel" data-settings="' . esc_attr( $settings ) . '"></div>';

Exploit Outline

The exploit targets the way shortcode attributes are rendered in the frontend. An attacker with Contributor-level permissions or higher can create or edit a post and insert a shortcode like `[lvca_carousel]`. By crafting an attribute value that contains a single quote followed by a JavaScript event handler—for example, `[lvca_carousel speed="500' onmouseover='alert(1)'"]`—the attacker can terminate the `data-settings` HTML attribute prematurely. When the shortcode is rendered, the resulting HTML will contain the injected event handler (e.g., `<div data-settings='{"...":"500' onmouseover='alert(1)'"}'>`), which executes arbitrary code when a victim interacts with or views the element.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.