CVE-2026-3895 Overview
CVE-2026-3895 is a Stored Cross-Site Scripting (XSS) vulnerability in the WPBakery Page Builder Addons by Livemesh plugin for WordPress. The flaw affects all versions up to and including 3.9.4. The lvca_admin_ajax AJAX handler verifies a nonce but omits a user capability check, leaving plugin settings writable by low-privileged accounts. Authenticated attackers with Subscriber-level access can modify plugin settings and inject malicious JavaScript. Injected payloads execute when administrators load the plugin settings page or when any visitor renders affected frontend output. The root cause is classified as Missing Authorization [CWE-862].
Critical Impact
Subscriber-level accounts can persist JavaScript that executes in administrator browsers, enabling session theft, account takeover, and arbitrary actions on behalf of site administrators.
Affected Products
- WPBakery Page Builder Addons by Livemesh plugin for WordPress
- All versions up to and including 3.9.4
- WordPress sites permitting Subscriber-level registration are at elevated risk
Discovery Timeline
- 2026-05-27 - CVE-2026-3895 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-3895
Vulnerability Analysis
The vulnerability resides in the plugin's lvca_admin_ajax AJAX action registered in admin/admin-ajax.php. The handler validates a WordPress nonce but does not call current_user_can() to confirm administrative privileges. Any authenticated user, including Subscribers, can therefore invoke the endpoint and update persisted plugin settings.
Values written through this handler are later rendered in the plugin settings UI (admin/views/settings.php) and in helper output (includes/helper-functions.php) without sufficient sanitization or output encoding. An attacker can store HTML and JavaScript that executes in the context of the WordPress origin.
Because the payload executes in an administrator's authenticated session, the impact crosses a privilege boundary, reflected by the scope change in the CVSS vector. Successful exploitation can lead to administrator session hijacking, creation of rogue admin accounts, or pivoting to remote code execution through theme or plugin editors.
Root Cause
The defect is a Missing Authorization weakness [CWE-862]. Nonce verification proves request intent and origin but does not enforce role-based access control. The handler should pair check_ajax_referer() with an explicit current_user_can('manage_options') check. Stored values must also be sanitized on input with functions such as sanitize_text_field() and escaped on output using esc_html() or esc_attr().
Attack Vector
Exploitation requires only a low-privileged authenticated account. The attacker sends a crafted POST request to admin-ajax.php with action=lvca_admin_ajax, a valid nonce obtainable from accessible plugin assets, and malicious values for plugin settings fields. The payload persists in the WordPress options table and triggers on subsequent administrator visits to the settings page or frontend renders that surface the stored data.
Refer to the Wordfence Vulnerability Report and the WordPress Plugin Code Review for the vulnerable handler details.
Detection Methods for CVE-2026-3895
Indicators of Compromise
- POST requests to /wp-admin/admin-ajax.php containing action=lvca_admin_ajax originating from non-administrator user sessions.
- Unexpected <script>, onerror, or onload content stored in Livemesh plugin option rows within the wp_options table.
- Administrator sessions exhibiting outbound requests to unknown domains shortly after visiting the plugin settings page.
- Creation of new administrator users or unauthorized changes to user roles following Subscriber activity.
Detection Strategies
- Audit wp_options entries owned by the addons-for-visual-composer plugin for HTML or JavaScript content.
- Inspect web server access logs for lvca_admin_ajax calls correlated with low-privilege session cookies.
- Deploy WordPress security plugins or web application firewall rules that flag XSS payloads in admin-ajax parameters.
Monitoring Recommendations
- Forward WordPress access and audit logs to a centralized analytics platform to correlate authenticated AJAX activity with privilege changes.
- Monitor for new admin user creation, plugin or theme file edits, and unexpected option updates after AJAX writes.
- Alert on Content Security Policy violation reports indicating inline script execution on /wp-admin pages.
How to Mitigate CVE-2026-3895
Immediate Actions Required
- Update the WPBakery Page Builder Addons by Livemesh plugin to a version newer than 3.9.4 once released by the vendor.
- Disable open user registration or restrict Subscriber-level account creation until patched.
- Review existing low-privileged accounts and remove any unfamiliar users.
- Inspect and sanitize stored Livemesh plugin settings to remove injected scripts.
Patch Information
At the time of publication, the NVD entry references the vulnerable code in version 3.9.4. Administrators should monitor the Wordfence Vulnerability Report and the official plugin page on WordPress.org for the fixed release, then apply it immediately across all environments.
Workarounds
- Deactivate the WPBakery Page Builder Addons by Livemesh plugin until a fixed version is installed.
- Deploy a web application firewall rule that blocks unauthenticated or Subscriber-level POSTs containing action=lvca_admin_ajax.
- Enforce a strict Content Security Policy on /wp-admin to limit inline script execution.
- Require multi-factor authentication for all administrator accounts to reduce the impact of session hijacking.
# Example ModSecurity rule to block low-privilege calls to the vulnerable AJAX action
SecRule REQUEST_URI "@endsWith /wp-admin/admin-ajax.php" \
"chain,phase:2,deny,status:403,id:1026389501,msg:'Block lvca_admin_ajax XSS attempt (CVE-2026-3895)'"
SecRule ARGS:action "@streq lvca_admin_ajax" \
"chain"
SecRule ARGS "@rx (?i)(<script|onerror=|onload=|javascript:)" "t:none,t:urlDecodeUni"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
