cleantalk
Vulnerabilities and Security Researches

Beaver Builder – WordPress Page Builder, CVE-2026-1231

CVE, Research URL

CVE-2026-1231

Home page URL

Security reports for Beaver Builder – WordPress Page Builder

Application

Beaver Builder – WordPress Page Builder

Published on
Feb 11, 2026
Research Description
The Beaver Builder Page Builder – Drag and Drop Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `js` Global Settings parameter in all versions up to, and including, 2.10.0.5 due to missing capability checks on save_global_settings() function and insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Custom-level access and above who have been granted beaver builder access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 2.10.0.6.
Status
vulnerable
Previous vulnerability researches
Easy Voice Mail (CVE-2026-1164) , Apr 15, 2026
New vulnerability
Customer Reviews for WooCommerce (CVE-2026-1316) , Apr 15, 2026
WP Recipe Maker (CVE-2026-1558) , Apr 15, 2026
Page and Post Clone (CVE-2026-2893) , Apr 15, 2026
Greenshift – animation and page builder blocks (CVE-2026-2589) , Apr 15, 2026
Greenshift – animation and page builder blocks (CVE-2026-1927) , Apr 15, 2026