PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-3895 livemesh CVE debrief

The WPBakery Page Builder Addons by Livemesh plugin for WordPress contains a stored cross-site scripting vulnerability in the `lvca_admin_ajax` AJAX handler. The endpoint verifies a nonce but fails to validate user capabilities, allowing authenticated attackers with Subscriber-level access or higher to modify plugin settings and inject malicious scripts. These scripts execute when administrators access the plugin settings page or when any user visits the frontend. The vulnerability affects all versions up to and including 3.9.4. The issue was disclosed on 2026-05-27.

Vendor
livemesh
Product
WPBakery Page Builder Addons by Livemesh
CVSS
MEDIUM 6.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

WordPress site administrators using the WPBakery Page Builder Addons by Livemesh plugin, particularly those with open registration or untrusted authenticated users. Security teams monitoring for plugin-based attack vectors in WordPress environments. Developers maintaining WordPress plugins with AJAX endpoints that may lack proper capability validation.

Technical summary

The `lvca_admin_ajax` AJAX endpoint in the WPBakery Page Builder Addons by Livemesh plugin fails to implement proper capability checks. While the endpoint validates a nonce, it does not verify that the requesting user has administrative privileges before allowing plugin settings modifications. This authorization gap enables any authenticated WordPress user—including those with minimal Subscriber privileges—to send crafted AJAX requests that alter plugin configuration. The modified settings can contain unsanitized JavaScript payloads that persist in the database and execute in the browser contexts of administrators viewing settings pages or any users visiting affected frontend pages. The vulnerability is classified as CWE-862 (Missing Authorization) and demonstrates how nonce verification alone is insufficient for protecting sensitive administrative functionality.

Defensive priority

HIGH

Recommended defensive actions

  • Update WPBakery Page Builder Addons by Livemesh plugin to version 3.9.5 or later if available
  • If no patch is available, consider temporarily disabling the plugin or restricting Subscriber-level user registrations
  • Review plugin settings for unauthorized modifications if the plugin has been in use with untrusted authenticated users
  • Implement Web Application Firewall rules to detect and block suspicious AJAX requests to the `lvca_admin_ajax` endpoint
  • Monitor administrator sessions and frontend pages for unexpected script execution
  • Apply principle of least privilege by limiting Subscriber-level access where possible

Evidence notes

The vulnerability exists in the `lvca_admin_ajax` AJAX action, which lacks proper authorization checks beyond nonce verification. Source code references indicate the affected files include admin/admin-ajax.php at line 64, admin/views/settings.php at line 568, and includes/helper-functions.php at line 256. The CVSS 3.1 vector is AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N, scoring 6.4 (Medium). The primary weakness is CWE-862 (Missing Authorization).

Official resources

2026-05-27