PT-2026-7482 · WordPress · Beaver Builder Page Builder
Athiwat Tiprasaharn
+2
·
Published
2026-02-11
·
Updated
2026-02-11
·
CVE-2026-1231
CVSS v3.1
6.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Beaver Builder Page Builder plugin for WordPress versions prior to 2.10.0.6
Description
The Beaver Builder Page Builder plugin for WordPress is susceptible to Stored Cross-Site Scripting. This is due to missing capability checks within the
save global settings() function and insufficient input sanitization and output escaping. Authenticated attackers with Custom-level access or higher, who have been granted Beaver Builder access, can inject arbitrary web scripts into pages. These scripts will execute whenever a user accesses an injected page via the js Global Settings parameter.Recommendations
Update to Beaver Builder Page Builder plugin version 2.10.0.6 or later.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Beaver Builder Page Builder