CVE-2026-2030 livemesh CVE debrief

Who should care

WordPress site administrators using WPBakery Page Builder Addons by Livemesh plugin; security teams monitoring WordPress plugin vulnerabilities; developers maintaining sites with Contributor-level user access; compliance teams tracking authenticated XSS exposure in content management systems

Technical summary

The vulnerability stems from improper escaping in two carousel shortcode implementations. The `wp_json_encode()` function produces JSON-encoded output that is placed directly into single-quoted HTML attributes. Without `esc_attr()` wrapping, an attacker can inject a payload like `'};alert(1);//` to break out of the `data-settings` attribute and execute arbitrary JavaScript. The JSON encoding does not provide sufficient context-aware escaping for HTML attribute contexts, particularly when single quotes are used as attribute delimiters.

Defensive priority

medium

Recommended defensive actions

• Update WPBakery Page Builder Addons by Livemesh plugin to version 3.9.5 or later if available
• Review and audit all posts and pages for unauthorized use of `[lvca_carousel]` or `[lvca_posts_carousel]` shortcodes, particularly those containing suspicious single-quote patterns or encoded payloads
• Implement Content Security Policy (CSP) headers to mitigate impact of any unpatched XSS vectors
• Restrict Contributor-level access to trusted users only until patching is complete
• Consider using WordPress security plugins with XSS filtering capabilities as a defense-in-depth measure
• Review web server access logs for unusual patterns of shortcode usage or encoded payload submissions

Evidence notes

Vulnerability confirmed via Wordfence security advisory and WordPress plugin source code references. CWE-79 (Improper Neutralization of Input During Web Page Generation) identified as primary weakness. CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N.

Official resources