The WPBakery Page Builder Addons by Livemesh plugin for WordPress contains a stored cross-site scripting vulnerability in the `lvca_admin_ajax` AJAX handler. The endpoint verifies a nonce but fails to validate user capabilities, allowing authenticated attackers with Subscriber-level access or higher to modify plugin settings and inject malicious scripts. These scripts execute when administrators access th [truncated]
A stored cross-site scripting (XSS) vulnerability in the WPBakery Page Builder Addons by Livemesh WordPress plugin allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts. The vulnerability exists in versions up to and including 3.9.4, specifically within the `[lvca_carousel]` and `[lvca_posts_carousel]` shortcodes. The root cause is insufficient input saniti [truncated]
