{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1231", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-20T13:57:17.987Z", "datePublished": "2026-02-11T01:23:34.203Z", "dateUpdated": "2026-04-08T17:03:22.254Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:03:22.254Z"}, "affected": [{"vendor": "beaverbuilder", "product": "Beaver Builder Page Builder \u2013 Drag and Drop Website Builder", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.10.0.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Beaver Builder Page Builder \u2013 Drag and Drop Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `js` Global Settings parameter in all versions up to, and including, 2.10.0.5 due to missing capability checks on save_global_settings() function and insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Custom-level access and above who have been granted beaver builder access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Beaver Builder Page Builder \u2013 Drag and Drop Website Builder <= 2.10.0.5 - Authenticated (Custom+) Missing Authorization to Stored Cross-Site Scripting via Global Settings", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7f7827bb-44d7-432d-85aa-3fdb117e1898?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/beaver-builder-lite-version/tags/2.9.4.2/classes/class-fl-builder.php#L4394"}, {"url": "https://plugins.trac.wordpress.org/browser/beaver-builder-lite-version/tags/2.9.4.2/classes/class-fl-builder-model.php#L4762"}, {"url": "https://plugins.trac.wordpress.org/browser/beaver-builder-lite-version/tags/2.9.4.2/classes/class-fl-builder-ajax.php#L185"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}, {"lang": "en", "type": "finder", "value": "Itthidej Aramsri"}, {"lang": "en", "type": "finder", "value": "Waris Damkham"}], "timeline": [{"time": "2026-01-07T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-01-20T14:44:54.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-10T12:42:02.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-11T15:37:17.348482Z", "id": "CVE-2026-1231", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-11T15:45:36.574Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1231", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-11T15:37:17.348482Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-11T15:37:18.058Z"}}], "cna": {"title": "Beaver Builder Page Builder \u2013 Drag and Drop Website Builder <= 2.10.0.5 - Authenticated (Custom+) Missing Authorization to Stored Cross-Site Scripting via Global Settings", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}, {"lang": "en", "type": "finder", "value": "Itthidej Aramsri"}, {"lang": "en", "type": "finder", "value": "Waris Damkham"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "beaverbuilder", "product": "Beaver Builder Page Builder \u2013 Drag and Drop Website Builder", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.10.0.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-07T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2026-01-20T14:44:54.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-02-10T12:42:02.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7f7827bb-44d7-432d-85aa-3fdb117e1898?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/beaver-builder-lite-version/tags/2.9.4.2/classes/class-fl-builder.php#L4394"}, {"url": "https://plugins.trac.wordpress.org/browser/beaver-builder-lite-version/tags/2.9.4.2/classes/class-fl-builder-model.php#L4762"}, {"url": "https://plugins.trac.wordpress.org/browser/beaver-builder-lite-version/tags/2.9.4.2/classes/class-fl-builder-ajax.php#L185"}], "descriptions": [{"lang": "en", "value": "The Beaver Builder Page Builder \u2013 Drag and Drop Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `js` Global Settings parameter in all versions up to, and including, 2.10.0.5 due to missing capability checks on save_global_settings() function and insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Custom-level access and above who have been granted beaver builder access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:03:22.254Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1231", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:03:22.254Z", "dateReserved": "2026-01-20T13:57:17.987Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-11T01:23:34.203Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Beaver Builder Page Builder \u2013 Drag and Drop Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `js` Global Settings parameter in all versions up to, and including, 2.10.0.5 due to missing capability checks on save_global_settings() function and insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Custom-level access and above who have been granted beaver builder access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin Beaver Builder Page Builder \u2013 Drag and Drop Website Builder para WordPress es vulnerable a Stored Cross-Site Scripting a trav\u00e9s del par\u00e1metro de Configuraci\u00f3n Global 'js' en todas las versiones hasta, e incluyendo, la 2.10.0.5 debido a la falta de comprobaciones de capacidad en la funci\u00f3n save_global_settings() y a la sanitizaci\u00f3n de entrada y escape de salida insuficientes. Esto hace posible que atacantes autenticados, con acceso de nivel 'Custom' y superior a quienes se les ha concedido acceso a Beaver Builder, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2026-1231", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-11T02:15:58.297", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/beaver-builder-lite-version/tags/2.9.4.2/classes/class-fl-builder-ajax.php#L185"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/beaver-builder-lite-version/tags/2.9.4.2/classes/class-fl-builder-model.php#L4762"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/beaver-builder-lite-version/tags/2.9.4.2/classes/class-fl-builder.php#L4394"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7f7827bb-44d7-432d-85aa-3fdb117e1898?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.10.0.5]"}}], "product": "beaver_builder_page_builder_\u2013_drag_and_drop_website_builder", "vendor": "beaverbuilder"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T18:38:34.417959+00:00", "value": {"mitigation_remediation": ["Upgrade the Beaver Builder plugin to version 2.10.0.6 or later, which removes the missing capability check and adds proper input sanitization and output escaping.", "If an immediate upgrade is not possible, revoke Custom\u2011level and higher Beaver Builder capabilities from all users that are not absolutely required, or limit those users to read\u2011only access so they cannot edit global settings.", "Ensure that no other plugins or custom code can programmatically write to the Beaver Builder global settings without proper capability checks."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "WordPress sites running the Beaver Builder Page Builder \u2013 Drag and Drop Website Builder plugin, versions 2.10.0.5 and earlier. The vulnerability affects all installations that use the plugin with any Global Settings configuration.", "description_and_impact": "The Beaver Builder Page Builder \u2013 Drag and Drop Website Builder plugin is vulnerable to stored XSS through the global settings field \u2018js\u2019. The flaw arises because the function that saves global settings performs no capability checks and does not properly sanitize or escape the input. As a result, an authenticated user with Custom\u2011level access or higher who has been granted Beaver Builder permissions can inject arbitrary JavaScript. Once stored, the script executes whenever any visitor loads a page that includes the affected global settings, enabling attackers to deface pages, steal credentials, or conduct further attacks against site users.", "risk_and_exploitability": "The CVSS score of 6.4 indicates moderate severity, but the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers need an authenticated account with Custom\u2011level or higher access, and the ability to edit Beaver Builder Global Settings, to exploit the stored XSS. No additional conditions are reported; the flaw can be triggered solely by submitting a malicious payload to the \u2018js\u2019 field through the normal settings interface."}}}}, "created": "2026-02-11T21:46:15.906567+00:00", "updated": "2026-04-15T18:45:11.419983+00:00", "vendors": ["beaverbuilder", "beaverbuilder$PRODUCT$beaver_builder_page_builder_\u2013_drag_and_drop_website_builder", "wordpress", "wordpress$PRODUCT$wordpress"]}