cleantalk
Vulnerabilities and Security Researches

WPBakery Page Builder Addons by Livemesh, CVE-2026-3895

CVE, Research URL

CVE-2026-3895

Home page URL

Security reports for WPBakery Page Builder Addons by Livemesh

Application

WPBakery Page Builder Addons by Livemesh

Published on
May 27, 2026
Research Description
The WPBakery Page Builder Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `lvca_admin_ajax` AJAX action in all versions up to, and including, 3.9.4 due to missing authorization checks and insufficient input sanitization. The AJAX handler verifies a nonce but does not check user capabilities. This makes it possible for authenticated attackers with Subscriber-level access and above to modify plugin settings and inject malicious scripts that execute when administrators access the plugin settings page or when any user visits the frontend.
Affected versions
max 3.9.4.
Status
vulnerable
Previous vulnerability researches
Enable jQuery Migrate Helper (CVE-2026-3279) , May 27, 2026
New vulnerability
Auto Thumbnails (CVE-2026-8899) , May 28, 2026
BitForm – Data management solution for WordPress (CVE-2026-8891) , May 28, 2026
Active Products Tables for WooCommerce. Professional products tables for WooCommerce store  (CVE-2026-42727) , May 28, 2026
VikBooking Hotel Booking Engine & PMS (CVE-2026-42683) , May 28, 2026
Geo Mashup (CVE-2026-27427) , May 28, 2026