The Livemesh Addons for Beaver Builder plugin for WordPress suffers from a stored cross-site scripting vulnerability identified as CVE-2026-2029. The vulnerability exists in all versions up to and including 3.9.2 within the `[labb_pricing_item]` shortcode, specifically in the handling of the `title` and `value` attributes. The root cause is insufficient input sanitization combined with improper output escaping: the plugin applies `wp_kses_post()` to sanitize input but subsequently calls `htmlspecialchars_decode()`, which decodes HTML entities back into executable code, effectively negating the sanitization step. This flaw allows authenticated attackers with Contributor-level privileges or higher to inject arbitrary JavaScript code that is stored persistently and executed whenever any user accesses the affected page. The vulnerability does not require user interaction to trigger and can impact confidentiality and integrity by enabling session hijacking, defacement, or unauthorized actions within the WordPress site context. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) indicates network attack vector, low attack complexity, privileges required at the contributor level, no user interaction, scope change, and low impact on confidentiality and integrity, with no impact on availability. No patches or official fixes are currently linked, and no active exploitation has been reported. However, the vulnerability poses a significant risk to websites using this plugin, especially those allowing contributor-level users to add or edit content.

This vulnerability allows attackers with relatively low privileges (Contributor-level) to inject persistent malicious scripts into WordPress pages, which execute in the context of any user visiting those pages. The impact includes potential session hijacking, theft of sensitive data, unauthorized actions performed on behalf of users, and website defacement. Since the vulnerability affects a widely used WordPress plugin, many websites could be at risk, especially those that allow multiple contributors or editors. The scope change in the CVSS vector indicates that the vulnerability can affect resources beyond the attacker’s privileges, increasing the severity. Exploitation could lead to compromise of user accounts, leakage of confidential information, and erosion of user trust. Although no known exploits are reported yet, the ease of exploitation and the common use of the plugin make it a credible threat. Organizations relying on this plugin for their WordPress sites face reputational damage and operational risks if exploited.

Organizations should immediately audit their WordPress sites for the use of Livemesh Addons for Beaver Builder plugin and identify versions up to 3.9.2. Since no official patch is currently linked, temporary mitigations include restricting Contributor-level user permissions to prevent untrusted users from adding or editing shortcode attributes. Administrators should implement a strict content review process for any user-generated content involving the affected shortcode. Employing a Web Application Firewall (WAF) with custom rules to detect and block suspicious script injections in shortcode attributes can reduce risk. Additionally, site owners should monitor logs for unusual activity and consider disabling the affected shortcode until a patch is available. Developers or site maintainers can also consider custom filters to sanitize and escape shortcode attributes properly before rendering. Regular backups and incident response plans should be in place to recover from potential exploitation. Once a vendor patch is released, prompt updating is critical to fully remediate the vulnerability.