CVE-2026-2029 Overview
CVE-2026-2029 is a Stored Cross-Site Scripting (XSS) vulnerability in the Livemesh Addons for Beaver Builder plugin for WordPress. The flaw affects all versions up to and including 3.9.2. It resides in the [labb_pricing_item] shortcode's title and value attributes. The plugin calls htmlspecialchars_decode() after wp_kses_post(), reversing sanitization and reintroducing executable HTML. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript into pages, which executes when other users view the affected content. The issue is tracked as [CWE-79].
Critical Impact
Authenticated contributors can persist JavaScript payloads that execute in the browsers of site visitors and administrators, enabling session theft, account takeover, or content manipulation.
Affected Products
- Livemesh Addons for Beaver Builder plugin for WordPress
- All versions up to and including 3.9.2
- WordPress sites permitting Contributor-level or higher accounts
Discovery Timeline
- 2026-02-26 - CVE-2026-2029 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2026-2029
Vulnerability Analysis
The vulnerability exists in the labb-pricing-table.php module of the Livemesh Addons for Beaver Builder plugin. The [labb_pricing_item] shortcode accepts user-controlled title and value attributes. These attributes are first sanitized using wp_kses_post(), which strips disallowed HTML and dangerous attributes. The plugin then passes the sanitized output through htmlspecialchars_decode(). This second call decodes HTML entities such as <, >, and " back into their literal <, >, and " characters. The decoded output is then rendered inside the page without further escaping. The end result is that any payload that survives wp_kses_post() in entity-encoded form is restored to executable markup. Because the data is stored in post or page content, the script executes for every viewer of the rendered page.
Root Cause
The root cause is the misordered use of sanitization and decoding functions. Calling htmlspecialchars_decode() after wp_kses_post() defeats output escaping and reintroduces injectable HTML and JavaScript syntax into rendered output.
Attack Vector
An attacker with Contributor or higher privileges submits a page or post containing the [labb_pricing_item] shortcode with a malicious payload in the title or value attribute. After the content is saved and rendered, the script executes in the browser of any user who loads the page, including administrators. This can enable session hijacking, forced administrative actions, or redirection. Technical details are documented in the Wordfence vulnerability analysis and the affected source at labb-pricing-table.php line 51 and line 59.
Detection Methods for CVE-2026-2029
Indicators of Compromise
- Post or page content containing [labb_pricing_item] shortcodes with title or value attributes that include <script>, onerror=, onload=, or javascript: strings.
- Unexpected outbound HTTP requests from administrator browser sessions to attacker-controlled domains shortly after viewing pages containing the shortcode.
- New or modified administrator accounts created shortly after a Contributor account submits content using the affected shortcode.
Detection Strategies
- Audit the wp_posts table for shortcode usage matching [labb_pricing_item combined with suspicious attribute values containing HTML entities or script tokens.
- Review WordPress activity logs for Contributor-level users publishing or editing pages that contain pricing table shortcodes.
- Inspect rendered page DOM in a staging environment for unexpected <script> tags originating from pricing table modules.
Monitoring Recommendations
- Monitor WordPress user role assignments and alert on privilege escalations to Editor or Administrator.
- Enable web application firewall logging for requests containing encoded XSS payloads targeting post.php and post-new.php.
- Track plugin version inventory across WordPress deployments and alert on any installation of Livemesh Addons for Beaver Builder at or below version 3.9.2.
How to Mitigate CVE-2026-2029
Immediate Actions Required
- Update Livemesh Addons for Beaver Builder to a version later than 3.9.2 as soon as the vendor publishes a fixed release.
- Audit all existing pages and posts using the [labb_pricing_item] shortcode for malicious content and remove any injected scripts.
- Restrict Contributor and Author accounts to trusted users and review recent account registrations.
Patch Information
At the time of NVD publication, all versions up to and including 3.9.2 are affected. Site administrators should consult the Wordfence advisory and the WordPress plugin repository for the current patched release.
Workarounds
- Deactivate the Livemesh Addons for Beaver Builder plugin until a patched version is installed.
- Remove or disable the [labb_pricing_item] shortcode from active templates and content if the plugin must remain enabled.
- Apply a web application firewall rule that blocks shortcode attribute values containing <script, javascript:, or common XSS event handlers.
- Reduce attack surface by limiting account creation and requiring administrator approval before granting Contributor-level access.
# Configuration example: locate vulnerable shortcode usage in the WordPress database
wp db query "SELECT ID, post_title FROM wp_posts WHERE post_content LIKE '%[labb_pricing_item%' AND (post_content LIKE '%<script%' OR post_content LIKE '%onerror=%' OR post_content LIKE '%javascript:%');"
: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
