Attack Vectors

Medium severity (CVSS 6.4) vulnerability CVE-2026-1231 affects the WordPress plugin Beaver Builder Page Builder – Drag and Drop Website Builder (slug: beaver-builder-lite-version) in versions up to and including 2.10.0.5. The issue can be exploited by an authenticated user who has been granted Beaver Builder access and has Custom-level permissions (or higher).

The attack path involves abusing the plugin’s Global Settings—specifically the js parameter—to place malicious script content that becomes stored in the site. Once saved, the injected script can run when other users view an affected page, without requiring them to click anything.

Security Weakness

This is a Stored Cross-Site Scripting (Stored XSS) risk caused by a combination of missing authorization (capability) checks when saving global settings and insufficient input sanitization and output escaping. In practical terms, the plugin does not adequately enforce “who is allowed to save this setting,” and it also does not reliably prevent unsafe script content from being stored and later displayed.

Because the weakness sits in a global settings save routine (save_global_settings()), it can affect more than a single page or campaign asset, depending on how your site uses Beaver Builder’s global configuration.

Technical or Business Impacts

Brand and customer trust risk: Stored scripts can change what visitors see (including forms and calls-to-action), redirect users, or display fraudulent messages—undermining confidence in your brand and marketing channels.

Lead and revenue risk: Attackers may tamper with landing pages, alter conversion paths, or inject content that captures submissions, which can directly impact pipeline quality, attribution, and sales outcomes.

Account and data exposure risk: When a script runs in a user’s browser on your site, it may be able to access what that user can access in their session, creating risk for internal users such as marketing admins, executives, or compliance staff.

Compliance and incident response costs: Even “medium severity” issues can trigger investigations, customer communications, and remediation work—especially if affected pages include tracking, forms, or customer-facing content.

Remediation: Update Beaver Builder Page Builder – Drag and Drop Website Builder to 2.10.0.6 or newer patched version as recommended. Track the CVE record here: https://www.cve.org/CVERecord?id=CVE-2026-1231. Source advisory: Wordfence vulnerability entry.

Similar Attacks

Stored XSS in widely used web platforms has been repeatedly leveraged to impact real organizations through content tampering, credential theft, and user redirection. Examples include:

CVE-2018-6389 (WordPress) — A WordPress-related vulnerability widely discussed for its potential to disrupt site availability and increase exposure to follow-on attacks.

CVE-2023-34362 (MOVEit Transfer) — A high-profile case where a widely deployed platform vulnerability led to large-scale compromise and business impact across multiple industries.