WordPress Plugin Vulnerabilities

Beaver Builder < 2.7.4.3 - Reflected XSS

Description

The plugin is vulnerable to DOM-Based Reflected Cross-Site Scripting via a 'playground.wordpress.net' parameter due to insufficient input sanitization and output escaping, allowing unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
beaver-builder-lite-version
Fixed in 2.7.4.3

References

CVE
CVE-2024-1038
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/e2cc2776-9496-42b5-a242-c572ae5462fb

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Original Researcher
wesley (wcraft)
Verified
No
WPVDB ID
5a36412d-19d8-4628-a705-08a0f20a0524

Timeline

Publicly Published
2024-02-20 (about 2 years ago)
Added
2024-02-21 (about 2 years ago)
Last Updated
2024-02-21 (about 2 years ago)

Other

Published
Title
Published
2024-07-08
Title
oik < 4.12.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via bw_button Shortcode
Published
2018-11-02
Title
Event Calendar WD <= 1.1.21 - Cross-Site Scripting (XSS)
Published
2024-06-19
Title
Flatsome < 3.19.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2026-01-01
Title
Owl Carousel WP <= 2.2.2 - Authenticated (Editor+) Stored Cross-Site Scripting
Published
2023-09-12
Title
Funnelforms Free < 3.4 Unauthenticated Stored Cross-Site Scripting