cleantalk
Vulnerabilities and Security Researches

WPBakery Page Builder Addons by Livemesh, CVE-2026-3895

CVE, Research URL

CVE-2026-3895

Home page URL

Security reports for WPBakery Page Builder Addons by Livemesh

Application

WPBakery Page Builder Addons by Livemesh

Published on
May 27, 2026
Research Description
The WPBakery Page Builder Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `lvca_admin_ajax` AJAX action in all versions up to, and including, 3.9.4 due to missing authorization checks and insufficient input sanitization. The AJAX handler verifies a nonce but does not check user capabilities. This makes it possible for authenticated attackers with Subscriber-level access and above to modify plugin settings and inject malicious scripts that execute when administrators access the plugin settings page or when any user visits the frontend.
Affected versions
max 3.9.4.
Status
vulnerable
Previous vulnerability researches
Centangle-Team (CVE-2025-12456) , Nov 11, 2025
New vulnerability
Sunshine Photo Cart: Free Client Galleries for Photographers (CVE-2026-42776) , May 28, 2026
WPBakery Page Builder Addons by Livemesh (CVE-2026-2030) , May 28, 2026
WPBakery Page Builder Addons by Livemesh (CVE-2026-3895) , May 28, 2026
LiteSpeed Cache (CVE-2026-3375) , May 28, 2026
WP Search Analytics (CVE-2026-27357) , May 28, 2026