{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2481", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-13T18:30:31.731Z", "datePublished": "2026-04-08T11:16:58.131Z", "dateUpdated": "2026-04-08T16:55:17.525Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:55:17.525Z"}, "affected": [{"vendor": "beaverbuilder", "product": "Beaver Builder Page Builder \u2013 Drag and Drop Website Builder", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.10.1.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Beaver Builder Page Builder \u2013 Drag and Drop Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'settings[js]' parameter in versions up to, and including, 2.10.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Beaver Builder Page Builder \u2013 Drag and Drop Website Builder <= 2.10.1.1 - Authenticated (Author+) Stored Cross-Site Scripting via 'settings[js]'", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5b15575f-0638-40ec-b152-20ba2225a725?source=cve"}, {"url": "https://www.wpbeaverbuilder.com/change-logs/?utm_medium=bb-lite&utm_source=repo-readme&utm_campaign=repo-changelog-page"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}, {"lang": "en", "type": "finder", "value": "Tharadol Suksamran"}], "timeline": [{"time": "2026-02-13T18:46:02.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-07T22:31:55.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T15:59:11.952311Z", "id": "CVE-2026-2481", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T15:59:27.825Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2481", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T15:59:11.952311Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T15:59:23.869Z"}}], "cna": {"title": "Beaver Builder Page Builder \u2013 Drag and Drop Website Builder <= 2.10.1.1 - Authenticated (Author+) Stored Cross-Site Scripting via 'settings[js]'", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}, {"lang": "en", "type": "finder", "value": "Tharadol Suksamran"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "beaverbuilder", "product": "Beaver Builder Page Builder \u2013 Drag and Drop Website Builder", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.10.1.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-13T18:46:02.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-07T22:31:55.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5b15575f-0638-40ec-b152-20ba2225a725?source=cve"}, {"url": "https://www.wpbeaverbuilder.com/change-logs/?utm_medium=bb-lite&utm_source=repo-readme&utm_campaign=repo-changelog-page"}], "descriptions": [{"lang": "en", "value": "The Beaver Builder Page Builder \u2013 Drag and Drop Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'settings[js]' parameter in versions up to, and including, 2.10.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T11:16:58.131Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2481", "state": "PUBLISHED", "dateUpdated": "2026-04-08T15:59:27.825Z", "dateReserved": "2026-02-13T18:30:31.731Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-08T11:16:58.131Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Beaver Builder Page Builder \u2013 Drag and Drop Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'settings[js]' parameter in versions up to, and including, 2.10.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2026-2481", "lastModified": "2026-04-24T18:05:09.240", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-08T12:16:21.280", "references": [{"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5b15575f-0638-40ec-b152-20ba2225a725?source=cve"}, {"source": "security@wordfence.com", "url": "https://www.wpbeaverbuilder.com/change-logs/?utm_medium=bb-lite&utm_source=repo-readme&utm_campaign=repo-changelog-page"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.10.1.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Beaver Builder Page Builder \u2013 Drag and Drop Website Builder", "source": "cna", "vendor": "beaverbuilder"}, "product": "beaver_builder_page_builder_\u2013_drag_and_drop_website_builder", "vendor": "beaverbuilder"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T12:21:51.746335+00:00", "value": {"mitigation_remediation": ["Check the current version of Beaver Builder Page Builder \u2013 Drag and Drop Website Builder on the WordPress admin interface.", "Update the plugin to the latest release (2.10.1.2 or later) where the 'settings[js]' sanitization issue has been fixed.", "Verify that no injected scripts remain by inspecting the page source on a clean test site.", "If an immediate update is not possible, limit author and higher\u2011level permissions to read\u2011only where feasible, or temporarily disable the plugin until a patch can be applied."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "All WordPress sites that are running Beaver Builder Page Builder \u2013 Drag and Drop Website Builder versions 2.10.1.1 and earlier are potentially affected. The vulnerability applies to the plugin\u2019s drag\u2011and\u2011drop page editor where authors can modify page settings, and any site that has not yet upgraded to a patched release.", "description_and_impact": "The Beaver Builder Page Builder \u2013 Drag and Drop Website Builder plugin for WordPress contains insufficient input sanitization and output escaping for the 'settings[js]' parameter. This flaw allows an authenticated attacker with author-level privileges to inject arbitrary JavaScript code that is stored server\u2011side and executed in each visitor\u2019s browser when they load the affected page. The injected scripts can be used to steal session data, deface the site, or run additional malicious payloads, thereby compromising user confidentiality and integrity.", "risk_and_exploitability": "The score of 6.4 places the vulnerability in the medium severity range. The exploit requires the attacker to be authenticated as an author or higher and to possess the ability to edit page settings. Once the malicious script is stored, it is automatically delivered to any visitor of the vulnerable page, making it an easily exploitable threat for sites that rely on the upgraded author role. The vulnerability is not yet listed in the CISA KEV catalog, and there is no EPSS value available to gauge the current exploitation probability."}}}}, "created": "2026-04-08T19:27:11.706619+00:00", "updated": "2026-04-08T19:39:48.664190+00:00", "vendors": ["beaverbuilder", "beaverbuilder$PRODUCT$beaver_builder_page_builder_\u2013_drag_and_drop_website_builder", "wordpress", "wordpress$PRODUCT$wordpress"]}