CVE-2026-2029: Livemesh Addons Beaver Builder XSS Flaw

CVE-2026-2029 Overview

The Livemesh Addons for Beaver Builder plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the [labb_pricing_item] shortcode. The flaw exists in the title and value attributes due to insufficient input sanitization and improper output escaping. Specifically, the plugin uses htmlspecialchars_decode() after wp_kses_post(), which decodes HTML entities back into executable code after sanitization has already occurred. This vulnerability allows authenticated attackers with Contributor-level access or above to inject arbitrary web scripts into pages that execute whenever a user accesses the compromised content.

Critical Impact

Authenticated attackers can inject persistent malicious scripts that execute in the context of other users' browsers, potentially leading to session hijacking, credential theft, or further compromise of WordPress administrator accounts.

Affected Products

• Livemesh Addons for Beaver Builder plugin for WordPress versions up to and including 3.9.2
• WordPress installations using the vulnerable [labb_pricing_item] shortcode functionality
• Beaver Builder page builder implementations with affected Livemesh addon versions

Discovery Timeline

• February 26, 2026 - CVE-2026-2029 published to NVD
• February 26, 2026 - Last updated in NVD database

Technical Details for CVE-2026-2029

Vulnerability Analysis

This Stored XSS vulnerability (CWE-79) occurs due to a flawed sanitization sequence in the Livemesh Addons plugin. The core issue stems from the improper ordering of security functions: the plugin applies wp_kses_post() for sanitization but then subsequently calls htmlspecialchars_decode(), which effectively reverses the sanitization by converting HTML entities back into their original characters.

The vulnerability is exploitable over the network and requires low attack complexity. An attacker needs only Contributor-level privileges on the WordPress site, with no user interaction required for initial exploitation. The scope is changed, meaning the vulnerability can impact resources beyond the vulnerable component itself—specifically, other users' browsers when they view pages containing injected scripts.

Root Cause

The root cause lies in the incorrect ordering of PHP sanitization functions within the labb-pricing-table.php module. The wp_kses_post() function is designed to filter content and encode potentially dangerous HTML characters. However, calling htmlspecialchars_decode() afterward negates this protection by decoding the escaped entities back into executable HTML and JavaScript code. This architectural flaw creates a bypass condition where malicious input that was properly sanitized becomes dangerous again before being rendered to users.

Attack Vector

An authenticated attacker with at least Contributor-level access can exploit this vulnerability by creating or editing content that uses the [labb_pricing_item] shortcode. By injecting malicious JavaScript payloads into the title or value attributes, the attacker can store persistent scripts that execute in visitors' browsers.

The attack flow involves crafting a shortcode attribute containing encoded XSS payloads. When the content is processed, wp_kses_post() sanitizes the input, but the subsequent htmlspecialchars_decode() call restores the malicious code. The payload is then stored in the database and executed every time the page is rendered.

For technical details on the vulnerable code paths, refer to the WordPress Plugin Trac at line 51 and line 59 of the pricing table module.

Detection Methods for CVE-2026-2029

Indicators of Compromise

• Unexpected JavaScript code or event handlers within [labb_pricing_item] shortcode attributes in post content
• Unusual script tags or encoded payloads in the title or value fields of pricing table items
• Database entries containing suspicious HTML entities or JavaScript within the wp_posts table for content using Livemesh shortcodes
• Browser console errors or unexpected network requests when viewing pages with pricing table modules

Detection Strategies

• Implement WordPress security plugins that scan for stored XSS patterns in post content and shortcode attributes
• Configure Web Application Firewalls (WAF) to detect and block common XSS payloads in POST requests to WordPress admin endpoints
• Enable Content Security Policy (CSP) headers to detect inline script execution attempts through violation reports
• Deploy SentinelOne Singularity for endpoint detection of malicious browser activity stemming from compromised WordPress pages

Monitoring Recommendations

• Monitor WordPress audit logs for suspicious shortcode modifications by Contributor-level users
• Track changes to pricing table content in the WordPress database for anomalous patterns
• Implement real-time alerting for CSP violations that may indicate XSS exploitation attempts
• Review server access logs for unusual POST requests to wp-admin/post.php containing potential payloads

How to Mitigate CVE-2026-2029

Immediate Actions Required

• Update Livemesh Addons for Beaver Builder to a patched version (if available) that addresses the sanitization ordering issue
• Audit all existing pricing table content for potentially malicious shortcode attributes
• Temporarily restrict Contributor-level users from creating or editing content with pricing table shortcodes
• Review and remove any suspicious scripts or encoded content from affected pages

Patch Information

Consult the Wordfence Vulnerability Report for the latest patch status and remediation guidance. Monitor the official WordPress plugin repository for updated versions of Livemesh Addons for Beaver Builder that resolve this vulnerability.

Workarounds

• Disable the Livemesh Addons for Beaver Builder plugin until a patched version is available
• Remove Contributor and Author role capabilities for creating or editing pages using pricing table modules
• Implement a custom filter to sanitize shortcode output without the vulnerable htmlspecialchars_decode() call
• Deploy a WAF rule to filter XSS payloads targeting the pricing table shortcode attributes

# WordPress configuration - restrict shortcode capability
# Add to wp-config.php or theme functions.php

# Option 1: Remove shortcode entirely until patched
# add_shortcode('labb_pricing_item', '__return_empty_string');

# Option 2: Audit existing content for suspicious patterns
# Run from WordPress CLI:
wp db query "SELECT ID, post_title FROM wp_posts WHERE post_content LIKE '%[labb_pricing_item%' AND (post_content LIKE '%<script%' OR post_content LIKE '%javascript:%' OR post_content LIKE '%onerror%' OR post_content LIKE '%onload%')"