CVE-2026-2030 Overview
CVE-2026-2030 is a stored Cross-Site Scripting (XSS) vulnerability in the WPBakery Page Builder Addons by Livemesh plugin for WordPress. The flaw affects all plugin versions up to and including 3.9.4. It resides in the [lvca_carousel] and [lvca_posts_carousel] shortcode attributes, where input sanitization and output escaping are insufficient. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript that executes whenever a user views the affected page. The issue is categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation).
Critical Impact
Authenticated contributors can inject persistent JavaScript that runs in the browsers of site visitors and administrators, enabling session hijacking, content tampering, and admin account takeover.
Affected Products
- WPBakery Page Builder Addons by Livemesh plugin for WordPress — all versions through 3.9.4
- The [lvca_carousel] shortcode handler in class-lvca-carousel.php
- The [lvca_posts_carousel] shortcode handler in class-lvca-posts-carousel.php
Discovery Timeline
- 2026-05-27 - CVE-2026-2030 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-2030
Vulnerability Analysis
The vulnerability resides in how the Livemesh plugin renders shortcode attributes into HTML. Shortcode attributes supplied through [lvca_carousel] and [lvca_posts_carousel] are serialized using wp_json_encode() and then written into a single-quoted data-settings HTML attribute. The output path does not call esc_attr() on the encoded string. Because wp_json_encode() escapes double quotes but leaves single quotes untouched, an attacker can supply a value containing a single quote to break out of the attribute context. Once outside the attribute, the attacker can introduce new HTML attributes such as event handlers that execute JavaScript when the page renders.
Exploitation requires only Contributor-level access, a role that many WordPress installations grant to guest authors. The injected payload is stored in post content and triggers on every view, making it a persistent (stored) XSS condition. Successful exploitation can lead to administrator session theft, forced administrative actions via CSRF chaining, and silent backdoor installation.
Root Cause
The root cause is missing output escaping. The plugin trusts the output of wp_json_encode() to be safe inside an HTML attribute, but JSON encoding only protects against JSON syntax issues, not HTML context. Single quotes remain literal, so wrapping the JSON in single-quoted attributes creates an injection sink. The correct pattern is to wrap the encoded value with esc_attr() before emitting it into HTML.
Attack Vector
An authenticated attacker with at least Contributor privileges creates or edits a post that contains a malicious [lvca_carousel] or [lvca_posts_carousel] shortcode. The attacker crafts attribute values containing single quotes followed by additional HTML attributes and JavaScript. When any visitor or administrator renders the page, the browser parses the injected attributes and executes the attacker's script in the site's origin.
Detailed source references are available in the WordPress Carousel Class Code and the WordPress Posts Carousel Class Code. The Wordfence Vulnerability Analysis provides further detail.
Detection Methods for CVE-2026-2030
Indicators of Compromise
- Post or page content containing [lvca_carousel] or [lvca_posts_carousel] shortcodes with single quotes or HTML event handler keywords such as onmouseover, onerror, or onload inside attribute values.
- Rendered HTML on public pages exposing data-settings='...' attributes that contain unexpected tag boundaries or JavaScript fragments.
- New WordPress administrator accounts, modified user roles, or unexplained plugin installations following Contributor activity.
Detection Strategies
- Scan the wp_posts table for shortcode patterns matching lvca_carousel or lvca_posts_carousel and inspect attribute values for embedded HTML or script syntax.
- Deploy a Content Security Policy (CSP) in report-only mode to surface inline script execution originating from post content.
- Review WordPress audit logs for post edits and creations by Contributor and Author accounts that include the affected shortcodes.
Monitoring Recommendations
- Alert on outbound requests from administrator browsers to unknown domains shortly after viewing posts containing Livemesh shortcodes.
- Monitor for changes to the wp_users, wp_usermeta, and wp_options tables that follow post publishing events by lower-privileged users.
- Track plugin version inventory across WordPress fleets and flag any site running version 3.9.4 or earlier.
How to Mitigate CVE-2026-2030
Immediate Actions Required
- Update the WPBakery Page Builder Addons by Livemesh plugin to a version later than 3.9.4 as soon as the vendor publishes a fixed release.
- Audit all existing posts and pages for [lvca_carousel] and [lvca_posts_carousel] shortcodes and remove any containing suspicious attribute payloads.
- Restrict the Contributor and Author roles to trusted users only, and review recently granted accounts.
Patch Information
At the time of publication, the vulnerability affects all versions through 3.9.4. Administrators should monitor the plugin's WordPress.org listing and the Wordfence Vulnerability Analysis entry for confirmation of a patched release. The structural fix requires wrapping the wp_json_encode() output with esc_attr() before emitting it into the data-settings attribute.
Workarounds
- Deactivate the Livemesh WPBakery Page Builder Addons plugin until a patched version is available if the carousel shortcodes are not business-critical.
- Use a Web Application Firewall (WAF) rule to block POST requests containing the affected shortcodes combined with single quotes or HTML event handler keywords in attribute positions.
- Apply a strict Content Security Policy that disallows inline scripts and unsafe event handlers on the front-end.
- Temporarily downgrade Contributor and Author accounts or require editorial review before publishing posts that contain Livemesh shortcodes.
# Configuration example: Apache mod_security rule to block suspicious shortcode submissions
SecRule ARGS "@rx \[lvca_(posts_)?carousel[^\]]*'[^\]]*on[a-z]+\s*=" \
"id:1002030,phase:2,deny,status:403,log,\
msg:'CVE-2026-2030 Livemesh shortcode XSS attempt blocked'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
