CVE-2024-2142 Overview
The Ultimate Addons for Beaver Builder – Lite plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the Info Table widget. This security flaw affects all versions up to and including 1.5.7 and stems from insufficient input sanitization and output escaping within the plugin's code. The vulnerability allows authenticated attackers with contributor-level access or above to inject arbitrary web scripts into WordPress pages. These malicious scripts execute whenever any user accesses the compromised page, potentially leading to session hijacking, credential theft, or further attacks against site visitors.
Critical Impact
Authenticated attackers with contributor-level access can inject persistent malicious scripts that execute in the browsers of all users who view affected pages, potentially compromising administrator sessions and sensitive user data.
Affected Products
- Brainstormforce Ultimate Addons for Beaver Builder (Lite) versions up to and including 1.5.7
- WordPress installations running the vulnerable plugin versions
- Any site using the Info Table widget from the affected plugin
Discovery Timeline
- 2024-03-30 - CVE-2024-2142 published to NVD
- 2025-01-30 - Last updated in NVD database
Technical Details for CVE-2024-2142
Vulnerability Analysis
This Stored Cross-Site Scripting vulnerability exists within the Info Table widget component of the Ultimate Addons for Beaver Builder – Lite plugin. The flaw is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), indicating that user-supplied input is not properly sanitized before being rendered in the browser.
The vulnerable code path is located in the frontend rendering logic, specifically within frontend.php in the Info Table module. When a user with contributor-level permissions creates or modifies an Info Table widget, the input data is stored in the database without adequate sanitization. Subsequently, when the page containing this widget is rendered for any visitor, the malicious payload is output without proper escaping, allowing JavaScript code execution in the victim's browser context.
The attack requires authentication but only at a relatively low privilege level (contributor), which is a common role granted to content creators on WordPress sites. This broadens the potential attack surface, as contributors typically have less scrutiny than administrators.
Root Cause
The root cause of CVE-2024-2142 is the lack of proper input validation and output encoding in the Info Table widget's data handling. Specifically, the plugin fails to apply WordPress's built-in escaping functions (such as esc_html(), esc_attr(), or wp_kses()) when outputting user-controlled data. This oversight allows HTML and JavaScript content to be stored and subsequently rendered without modification, enabling Stored XSS attacks.
Attack Vector
The attack is executed over the network and requires an authenticated user with at least contributor-level privileges on the target WordPress installation. The attacker can craft a malicious Info Table widget containing JavaScript payloads, which are then stored in the WordPress database.
When any user—including administrators—views the page containing the compromised widget, the malicious script executes in their browser context. This can enable:
- Session cookie theft and account takeover
- Keylogging and credential harvesting
- Defacement of the WordPress site
- Redirection to phishing or malware distribution sites
- Privilege escalation if an administrator's session is compromised
The attack requires user interaction (UI:R) as victims must navigate to the affected page for the payload to execute. The vulnerability has a changed scope (S:C) as it can affect resources beyond the vulnerable component's security context.
Detection Methods for CVE-2024-2142
Indicators of Compromise
- Unexpected JavaScript code within Info Table widget content in the WordPress database
- Suspicious <script> tags or event handlers (onclick, onerror, etc.) in page source code generated by Info Table widgets
- Reports from users of unexpected browser behavior or redirects when viewing specific pages
- Unusual network requests to external domains originating from your WordPress site
- Web application firewall logs showing blocked XSS patterns in POST requests to the page builder
Detection Strategies
- Implement Content Security Policy (CSP) headers to detect and block inline script execution, with reporting enabled
- Configure web application firewall (WAF) rules to detect and alert on XSS patterns in WordPress API requests
- Regularly audit WordPress database for suspicious script content in serialized widget data
- Enable WordPress audit logging to track changes made by contributor-level users
- Monitor browser console errors that may indicate blocked malicious scripts
Monitoring Recommendations
- Deploy SentinelOne Singularity XDR for real-time monitoring of web application threats and behavioral anomaly detection
- Set up automated scanning with WordPress security plugins to detect known vulnerabilities in installed plugins
- Implement file integrity monitoring on WordPress plugin directories to detect unauthorized modifications
- Configure alerting for new or modified pages created by contributor-level accounts
How to Mitigate CVE-2024-2142
Immediate Actions Required
- Update the Ultimate Addons for Beaver Builder – Lite plugin to a version newer than 1.5.7 immediately
- Review and audit all Info Table widgets created by contributor-level users for malicious content
- Consider temporarily restricting contributor permissions or disabling the Info Table widget until patching is complete
- Implement Content Security Policy headers as a defense-in-depth measure against XSS attacks
- Invalidate all user sessions to terminate any potentially compromised administrative sessions
Patch Information
Brainstormforce has released a security update that addresses this vulnerability. The fix is available in the WordPress Changeset Update. Site administrators should update to the latest version of the plugin through the WordPress admin dashboard or by manually downloading from the WordPress plugin repository.
For additional technical details about the vulnerability, refer to the Wordfence Vulnerability Report and the WordPress Plugin Source Code.
Workarounds
- Temporarily disable the Ultimate Addons for Beaver Builder – Lite plugin if immediate patching is not possible
- Remove contributor-level access from untrusted users until the plugin is updated
- Deploy a web application firewall (WAF) rule to filter XSS patterns in requests targeting the affected widget
- Implement strict Content Security Policy headers to mitigate script execution from injected payloads
- Consider using an alternative page builder widget for info tables until the vulnerability is patched
# WordPress CLI command to update the plugin
wp plugin update ultimate-addons-for-beaver-builder-lite --force
# Verify current plugin version after update
wp plugin get ultimate-addons-for-beaver-builder-lite --field=version
# List all users with contributor role for audit purposes
wp user list --role=contributor --fields=ID,user_login,user_email
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
