Approved changes feed: RSS · Atom

cpe:2.3:a:livemesh:wpbakery_page_builder_addons_by_livemesh:*:*:*:*:*:*:*:*

part: a version: * update: *

VendorLivemesh (1612245a-73f2-5170-8d95-d6413fcd21fb)
ProductWpbakery Page Builder Addons By Livemesh (9b43b285-0b92-5513-8340-3f111ae668fa)
Edition*
Language*
Software edition*
Target software*
Target hardware*
Other*
NotesImported from gcve-enriched-dumps CVE data

PURL mappings

PURLSourceLast updated
No PURL mappings for this CPE yet.

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2026-3895 vulnerable 2026-06-08 08:01:19.639887 WPBakery Page Builder Addons by Livemesh <= 3.9.4 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting
MEDIUM (6.4)
The WPBakery Page Builder Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `lvca_admin_ajax` AJAX action in all versions up to, and including, 3.9.4 due to missing authorization checks and insufficient input sanitization. The AJAX handler verifies a nonce but does not check user capabilities. This makes it possible for authenticated attackers with Subscriber-level access and above to modify plugin settings and inject malicious scripts that execute when administrators access the plugin settings page or when any user visits the frontend.
Published: 2026-05-27T06:46:19.096Z
Updated: 2026-05-27T10:28:46.566Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-2030 vulnerable 2026-06-08 07:55:16.409786 WPBakery Page Builder Addons by Livemesh <= 3.9.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
MEDIUM (6.4)
The WPBakery Page Builder Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `[lvca_carousel]` and `[lvca_posts_carousel]` shortcode attributes in all versions up to, and including, 3.9.4 due to insufficient input sanitization and output escaping. Specifically, shortcode attributes are encoded with `wp_json_encode()` and output into single-quoted `data-settings` HTML attributes without using `esc_attr()`, allowing attackers to break out of the attribute by injecting single quotes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-05-27T06:46:17.863Z
Updated: 2026-05-27T10:29:27.813Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-2079 vulnerable 2026-06-08 06:33:30.304213 WPBakery Page Builder Addons by Livemesh <= 3.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
MEDIUM (6.4)
The WPBakery Page Builder Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'per_line_mobile' shortcode in all versions up to, and including, 3.8.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2024-03-13T21:32:55.441Z
Updated: 2026-04-08T16:43:47.921Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2023-50370 vulnerable 2026-06-08 06:16:16.068922 WordPress Livemesh Addons for WPBakery Page Builder Plugin <= 3.5 is vulnerable to Cross Site Scripting (XSS)
MEDIUM (6.5)
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Livemesh WPBakery Page Builder Addons by Livemesh allows Stored XSS.This issue affects WPBakery Page Builder Addons by Livemesh: from n/a through 3.5.
Published: 2023-12-14T13:42:59.541Z
Updated: 2026-04-28T16:08:58.788Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2022-4974 vulnerable 2026-06-08 05:52:02.653617 Freemius SDK <= 2.4.2 - Missing Authorization Checks
MEDIUM (6.3)
The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable.
Published: 2024-10-16T06:43:30.014Z
Updated: 2026-04-08T16:46:54.861Z
Reference links
Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.