PowerPack Lite for Beaver Builder < 1.3.0.5 – Authenticated (Editor+) Stored Cross-Site Scripting | CVE 2024-37409 | Plugin Vulnerabilities

Description

The PowerPack Lite for Beaver Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.3.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Affects Plugins

powerpack-addon-for-beaver-builder

Fixed in 1.3.0.5

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/88f90762-2d2b-4a31-ac8d-324eab702727

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

João Pedro Soares de Alcântara

Verified

No

WPVDB ID

25b8b558-b5dd-470f-8b22-43c597f7a935

Timeline

Publicly Published

2024-06-28 (about 1 year ago)

Added

2024-07-03 (about 1 year ago)

Last Updated

2024-07-03 (about 1 year ago)

Other

Published

Title

Published

2024-05-14

Title

Import and export users and customers < 1.26.7 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2023-06-30

Title

WPFactory Helper < 1.5.3 - Reflected Cross-Site Scripting

Published

2014-08-01

Title

Subscribe To Comments Reloaded 140204 - options/index.php manager_page Parameter Stored XSS Weakness

Published

2026-03-23

Title

DSGVO snippet for Leaflet Map and its Extensions < 3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'unset' Attribute

Published

2025-03-18

Title

RDP Linkedin Login <= 1.7.0 - Reflected Cross-Site Scripting