CVE-2024-2142: Ultimate Addons Beaver Builder XSS Flaw

CVE-2024-2142 Overview

CVE-2024-2142 is a Stored Cross-Site Scripting (XSS) vulnerability [CWE-79] in the Ultimate Addons for Beaver Builder – Lite plugin for WordPress, developed by Brainstorm Force. The flaw affects all versions up to and including 1.5.7 and resides in the Info Table widget. Insufficient input sanitization and output escaping allow authenticated users with contributor-level access or above to inject arbitrary JavaScript into pages. Injected scripts execute in the browser of any visitor who accesses the affected page.

Critical Impact
Authenticated contributors can store malicious JavaScript that executes in administrator browsers, enabling session theft, account takeover, and unauthorized actions across the WordPress site.

Affected Products

Brainstorm Force Ultimate Addons for Beaver Builder – Lite (WordPress plugin)
All versions through 1.5.7
Info Table widget module (modules/info-table/includes/frontend.php)

Discovery Timeline

2024-03-30 - CVE-2024-2142 published to NVD
2026-04-08 - Last updated in NVD database

Technical Details for CVE-2024-2142

Vulnerability Analysis

The vulnerability resides in the Info Table widget shipped with Ultimate Addons for Beaver Builder – Lite. The widget renders user-supplied content from the page builder editor into the frontend without applying sufficient sanitization or output escaping. As a result, attribute and content values controlled by the widget author are echoed into the HTML response unfiltered.

Attackers with contributor-level access or above can craft page content containing JavaScript payloads that persist in the database. When any visitor — including site administrators — loads the affected page, the script executes in their browser context. This stored variant of XSS is more impactful than reflected XSS because the payload survives across sessions and reaches every viewer.

The scope-change rating in the CVSS vector reflects the ability for injected scripts to act beyond the vulnerable component, interacting with the broader WordPress administrative interface.

Root Cause

The root cause is missing input sanitization and missing output escaping in the Info Table widget's frontend rendering logic located in modules/info-table/includes/frontend.php. Functions such as esc_html(), esc_attr(), or wp_kses_post() are not consistently applied to user-controlled values before they are emitted into the page markup.

Attack Vector

Exploitation requires an authenticated WordPress account at the contributor role or higher and user interaction by a victim who loads the injected page. The attacker creates or edits a page using the Info Table widget, embeds a JavaScript payload into a vulnerable field, and saves the page. When an editor or administrator previews or publishes the content, the payload executes with the victim's privileges.

The vulnerability manifests in the Info Table widget's frontend rendering path. See the WordPress Plugin File Reference and the Wordfence Vulnerability Report for technical details.

Detection Methods for CVE-2024-2142

Indicators of Compromise

Unexpected <script> tags, javascript: URIs, or HTML event handlers (onerror, onclick, onload) stored within WordPress post_content for pages using the Info Table widget.
Outbound browser requests from admin sessions to attacker-controlled domains following page previews.
New or modified administrator accounts created shortly after a contributor edits a page containing an Info Table widget.

Detection Strategies

Query the wp_posts table for Info Table widget shortcodes or markup containing suspicious HTML attributes or script-like strings.
Inspect plugin version metadata across WordPress installations and flag any instance of Ultimate Addons for Beaver Builder – Lite at or below 1.5.7.
Review user role audit logs for contributor-level accounts that recently created or edited pages using the Info Table module.

Monitoring Recommendations

Enable WordPress audit logging to capture post edits, user creation events, and role changes.
Monitor web server response bodies for unsanitized HTML originating from frontend.php rendering paths.
Alert on anomalous administrator session activity such as unexpected REST API calls or password and email changes immediately after page previews.

How to Mitigate CVE-2024-2142

Immediate Actions Required

Update Ultimate Addons for Beaver Builder – Lite to a version newer than 1.5.7 that addresses the Info Table sanitization issue.
Audit existing pages built with the Info Table widget and remove any embedded scripts or suspicious HTML attributes.
Review the WordPress user list and revoke contributor-level access from accounts that are no longer required.

Patch Information

Brainstorm Force addressed the vulnerability in a plugin update following the disclosure tracked in the WordPress Plugin Change Set. Administrators should apply the latest available release through the WordPress plugin updater and confirm the version after upgrading.

Workarounds

Deactivate the Ultimate Addons for Beaver Builder – Lite plugin until the patched version is installed.
Restrict contributor and author registration on the WordPress site to trusted users only.
Deploy a web application firewall rule that blocks <script> tags and HTML event handler attributes submitted to the WordPress REST and admin-ajax endpoints used by Beaver Builder.

bash

# Configuration example
wp plugin update ultimate-addons-for-beaver-builder-lite
wp plugin list --name=ultimate-addons-for-beaver-builder-lite --field=version