CVE-2024-4430 is a stored cross-site scripting (XSS) vulnerability classified under CWE-80, found in the Beaver Builder WordPress Page Builder plugin developed by justinbusa. The vulnerability exists in all versions up to and including 2.8.1.2, specifically within the photo widget's crop attribute. Due to inadequate input sanitization and output escaping, authenticated users with contributor-level or higher privileges can inject arbitrary JavaScript code into pages. When other users access these pages, the malicious scripts execute in their browsers, potentially compromising session tokens, redirecting users, or performing unauthorized actions on behalf of victims. The vulnerability requires no user interaction beyond viewing the affected page and can be exploited remotely over the network. The CVSS 3.1 base score is 6.4, reflecting network attack vector, low attack complexity, privileges required (low), no user interaction, and a scope change with partial confidentiality and integrity impact but no availability impact. No public exploit code has been reported yet, but the vulnerability poses a significant risk due to the widespread use of Beaver Builder in WordPress sites. The root cause is the failure to properly neutralize script-related HTML tags in user-controllable input fields, a common XSS vector. Mitigation involves patching the plugin once updates are available or applying strict input validation and output encoding on the affected attribute. Additionally, limiting contributor privileges and monitoring for suspicious activity can reduce exploitation likelihood.

This vulnerability can lead to unauthorized script execution in the context of affected WordPress sites, compromising user sessions, stealing sensitive information, or enabling further attacks such as privilege escalation or malware distribution. Since Beaver Builder is a popular page builder plugin, many websites globally could be affected, especially those allowing contributor-level users to add or edit content. The impact includes potential data leakage, defacement, loss of user trust, and reputational damage. Attackers could leverage this vulnerability to pivot within the site or network, especially if administrative users view the infected pages. Although no availability impact is noted, the confidentiality and integrity of site content and user data are at risk. Organizations relying on Beaver Builder for content management must consider this a medium-severity threat that can disrupt normal operations and user trust if exploited.

Organizations should immediately verify if their WordPress installations use Beaver Builder versions up to 2.8.1.2 and plan to upgrade to a patched version once released. Until a patch is available, restrict contributor and higher privileges to trusted users only, minimizing the risk of malicious script injection. Implement web application firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the photo widget crop attribute. Employ strict input validation and output encoding on all user-supplied data fields, especially those related to page content and widgets. Regularly audit user activities and content changes for signs of injected scripts. Enable Content Security Policy (CSP) headers to limit script execution sources and reduce the impact of XSS attacks. Educate content contributors about safe content practices and the risks of injecting untrusted code. Monitor security advisories from the plugin vendor and WordPress community for updates and exploit reports.