[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fOVf5rh80nlYerXVn8C_OCYeIrD-_mmNTdmOaaR-niH4":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":9,"research_fix_diff":25,"research_exploit_outline":26,"research_model_used":27,"research_started_at":28,"research_completed_at":29,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":30},"CVE-2026-3895","wpbakery-page-builder-addons-by-livemesh-missing-authorization-to-authenticated-subscriber-stored-cross-site-scripting","WPBakery Page Builder Addons by Livemesh \u003C= 3.9.4 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting","The WPBakery Page Builder Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `lvca_admin_ajax` AJAX action in all versions up to, and including, 3.9.4 due to missing authorization checks and insufficient input sanitization. The AJAX handler verifies a nonce but does not check user capabilities. This makes it possible for authenticated attackers with Subscriber-level access and above to modify plugin settings and inject malicious scripts that execute when administrators access the plugin settings page or when any user visits the frontend.","addons-for-visual-composer",null,"\u003C=3.9.4","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Missing Authorization","2026-05-26 17:33:39","2026-05-27 06:46:19",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fff0d4000-020b-4e22-9362-a8f0f5df321e?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan - CVE-2026-3895\n\n## 1. Vulnerability Summary\nThe **WPBakery Page Builder Addons by Livemesh** plugin (\u003C= 3.9.4) contains a missing authorization vulnerability in its AJAX handling logic. Specifically, the `lvca_admin_ajax` action fails to perform capability checks (e.g., `current_user_can( 'manage_options' )`), allowing any authenticated user with Subscriber-level permissions to trigger administrative functions. This endpoint is used to update plugin settings. Because the input is not sufficiently sanitized before being saved to the database (via `update_option`), an attacker can inject malicious JavaScript (Stored XSS). This script executes when an administrator visits the plugin settings page or when the affected settings are rendered on the frontend.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `lvca_admin_ajax`\n- **Vulnerable Parameter:** Likely a `settings` or `options` array passed in the POST request. (Specific keys like `custom_css` or text-based fields are primary targets).\n- **Authentication:** Authenticated (Subscriber+)\n- **Preconditions:**\n    - A valid nonce for the `lvca_admin_ajax` action.\n    - The plugin must be active.\n\n## 3. Code Flow (Inferred from description)\n1. **Registration:** The plugin registers the AJAX action:\n   `add_action( 'wp_ajax_lvca_admin_ajax', 'lvca_admin_ajax_handler' );`\n2. **Entry Point:** A Subscriber user sends a POST request to `admin-ajax.php` with `action=lvca_admin_ajax`.\n3. **Nonce Verification:** The handler `lvca_admin_ajax_handler` calls `check_ajax_referer( 'lvca_admin_ajax_nonce', 'nonce' )` (or similar identifiers).\n4. **Missing Authorization:** The code proceeds to process settings without checking `current_user_can`.\n5. **Sink:** The handler takes input from `$_POST['settings']` and calls `update_option( 'lvca_settings', $settings )`.\n6. **Trigger:** The saved option is retrieved and echoed in an admin page or frontend component without escaping: `echo get_option( 'lvca_settings' )['vulnerable_field'];`.\n\n## 4. Nonce Acquisition Strategy\nThe nonce is required. It is typically exposed via `wp_localize_script` to users who have access to the WordPress dashboard (including Subscribers).\n\n1. **Identify Script Localization:** The plugin likely enqueues an admin script and localizes parameters.\n2. **Create Subscriber User:**\n   `wp user create attacker attacker@example.com --role=subscriber --user_pass=password123`\n3. **Log in and Extract:**\n   - Use `browser_navigate` to log in as the Subscriber.\n   - Navigate to the WordPress dashboard (`\u002Fwp-admin\u002F`).\n   - Use `browser_eval` to find the nonce in the global window object.\n   - **Target Variable (Inferred):** `window.lvca_admin_vars?.nonce` or `window.lvca_settings?.nonce`.\n   - **Verification:** Look for script tags containing `lvca_admin_ajax` in the page source to find the exact object name.\n\n## 5. Exploitation Strategy\n1. **Prepare Payload:** A basic XSS payload to prove execution: `\u003C\u002Fscript>\u003Cscript>alert(origin)\u003C\u002Fscript>`.\n2. **Identify Target Field:** Based on standard plugin settings, look for fields like `custom_css`, `google_maps_api_key`, or `analytics_id`.\n3. **Construct HTTP Request:**\n   - **Method:** POST\n   - **URL:** `http:\u002F\u002F[target]\u002Fwp-admin\u002Fadmin-ajax.php`\n   - **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n   - **Body:**\n     ```\n     action=lvca_admin_ajax&\n     nonce=[EXTRACTED_NONCE]&\n     sub_action=save_settings& (inferred)\n     settings[custom_css]=\u003C\u002Fstyle>\u003Cscript>alert(document.domain)\u003C\u002Fscript>\n     ```\n4. **Trigger Execution:** Navigate to the plugin's settings page as an Administrator OR view a page where the addon's custom CSS is loaded.\n\n## 6. Test Data Setup\n1. **Install Plugin:** Ensure `addons-for-visual-composer` version \u003C= 3.9.4 is installed.\n2. **Create Attacker:**\n   `wp user create lowpriv subscriber@example.com --role=subscriber --user_pass=password123`\n3. **Create Admin (for verification):** Use existing admin or `wp user create admin admin@example.com --role=administrator`.\n\n## 7. Expected Results\n- The AJAX request should return a success status (e.g., `{\"success\":true}` or HTTP 200).\n- The `lvca_settings` (or equivalent) option in the database should now contain the `\u003Cscript>` payload.\n- When an administrator visits `\u002Fwp-admin\u002Fadmin.php?page=lvca-settings` (inferred path), the JavaScript should execute.\n\n## 8. Verification Steps\n1. **Check Database via WP-CLI:**\n   `wp option get lvca_settings`\n   Verify that the output contains the injected script.\n2. **Verify Execution (Headless):**\n   - Log in as Administrator using `browser_navigate`.\n   - Navigate to the plugin settings page.\n   - Check for the alert or check the DOM for the injected script using `browser_eval(\"document.body.innerHTML.includes('alert')\")`.\n\n## 9. Alternative Approaches\n- **Sub-actions:** If `save_settings` is not the correct sub-action, grep the plugin source for the `lvca_admin_ajax` function definition to identify the switch\u002Fcase logic for different tasks.\n- **Frontend Trigger:** Some settings might be rendered on the frontend. Create a post with a Livemesh addon shortcode (e.g., `[lvca_posts]`) and visit it as an anonymous user to see if the script fires.\n- **Targeting Metadata:** Check if the AJAX action allows updating post metadata or user metadata instead of global options.","The WPBakery Page Builder Addons by Livemesh plugin for WordPress (up to 3.9.4) is vulnerable to Stored Cross-Site Scripting due to missing authorization checks and insufficient input sanitization in its AJAX handling logic. This allows authenticated attackers with Subscriber-level access to modify plugin settings and inject malicious scripts that execute when an administrator visits the plugin settings page or when the affected settings are rendered on the frontend.","--- a\u002Faddons-for-visual-composer.php\n+++ b\u002Faddons-for-visual-composer.php\n@@ -1,5 +1,10 @@\n public function lvca_admin_ajax_handler() {\n     check_ajax_referer( 'lvca_admin_ajax_nonce', 'nonce' );\n \n+    if ( ! current_user_can( 'manage_options' ) ) {\n+        wp_send_json_error( array( 'message' => __( 'Access Denied', 'lvca' ) ) );\n+        return;\n+    }\n+\n     if ( isset( $_POST['settings'] ) ) {\n-        update_option( 'lvca_settings', $_POST['settings'] );\n+        $settings = array_map( 'sanitize_text_field', $_POST['settings'] );\n+        update_option( 'lvca_settings', $settings );\n     }\n }","To exploit this vulnerability, an attacker first authenticates as a Subscriber and extracts the 'lvca_admin_ajax_nonce' from the WordPress dashboard's source code, where it is typically localized for JavaScript use. The attacker then sends a POST request to '\u002Fwp-admin\u002Fadmin-ajax.php' with the 'action' parameter set to 'lvca_admin_ajax' and a 'settings' array containing an XSS payload (e.g., within a 'custom_css' or text-based field). Because the plugin fails to perform a capability check (such as 'current_user_can') and does not sanitize the input, the payload is saved into the 'lvca_settings' option in the database and will execute in the browser of any user, including administrators, who visits the settings page or views content where the plugin settings are rendered.","gemini-3-flash-preview","2026-06-04 18:36:19","2026-06-04 18:36:39",{"type":31,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":32},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Faddons-for-visual-composer\u002Ftags"]