Attack Vectors

CVE-2026-2029 is a medium-severity stored cross-site scripting (XSS) vulnerability (CVSS 6.4) affecting Livemesh Addons for Beaver Builder (WordPress plugin slug: addons-for-beaver-builder) in versions up to and including 3.9.2.

An attacker needs authenticated access at the Contributor role (or higher). With that level of access, they can inject malicious script code through the [labb_pricing_item] shortcode by supplying harmful content in the title and value attributes.

Because this is stored XSS, the injected code can execute later when a page containing the shortcode is viewed—turning a “limited authoring permission” into a potential pathway for broader impact on visitors, executives, and staff who view affected pages.

Security Weakness

The issue is caused by insufficient input sanitization and output escaping in how the plugin processes shortcode attributes. According to the public advisory, the plugin applies wp_kses_post() but then calls htmlspecialchars_decode() afterward, which can decode HTML entities back into executable code after sanitization has already occurred.

This sequence undermines the intended protections and can allow attacker-supplied content placed in title and value to be rendered as active script in the browser.

At the time of writing, the advisory notes no known patch is available. Organizations should evaluate compensating controls and the business need for the plugin versus the risk of continued exposure.

Technical or Business Impacts

For business leaders, stored XSS is primarily a trust and brand-risk issue: it can enable unauthorized changes to on-page content, injection of malicious redirects, or insertion of deceptive forms/messages that look like your brand—especially damaging on high-traffic landing pages or campaign pages built with Beaver Builder.

Potential impacts include session theft (if a privileged user views an affected page in an exploitable context), unauthorized actions performed in a logged-in browser session, disruption to marketing performance (traffic hijacking, SEO damage, or campaign attribution corruption), and increased likelihood of compliance and incident response costs if customer data exposure is suspected.

Risk is heightened in environments where multiple teams (marketing, content, agencies) have Contributor access, where pages are updated frequently, or where the shortcode is embedded into templates that many pages inherit.

Mitigations to consider (based on risk tolerance): restrict Contributor accounts and review who has publishing/editing capability; implement stricter content approval workflows; monitor for unexpected shortcode usage (especially [labb_pricing_item]) and unusual changes to page content; and consider removing or replacing Livemesh Addons for Beaver Builder until a verified fix is available.

Reference: CVE-2026-2029 record and the vendor advisory summary from Wordfence Threat Intelligence.

Similar Attacks

Stored XSS has a long history of being used to spread quickly and impact large audiences because it executes in the browser of whoever views the compromised page. A well-known example is the “Samy” worm (MySpace), which demonstrated how a single stored XSS payload could propagate widely and cause major platform disruption.