📄 Description (English)
The WPBakery Page Builder Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `[lvca_carousel]` and `[lvca_posts_carousel]` shortcode attributes in all versions up to, and including, 3.9.4 due to insufficient input sanitization and output escaping. Specifically, shortcode attributes are encoded with `wp_json_encode()` and output into single-quoted `data-settings` HTML attributes without using `esc_attr()`, allowing attackers to break out of the attribute by injecting single quotes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
🤖 AI Executive Summary
WPBakery Page Builder Addons by Livemesh plugin contains a Stored Cross-Site Scripting (XSS) vulnerability in carousel shortcodes affecting versions up to 3.9.4. Authenticated users with Contributor-level access can inject malicious scripts that execute for all page visitors. While currently unpatched, the medium CVSS score (6.4) and requirement for authenticated access limit immediate risk, but the stored nature of the vulnerability poses persistent threats to WordPress sites using this plugin.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 28, 2026 21:33
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations using WPBakery Page Builder Addons are at risk, particularly: (1) Government agencies and municipalities relying on WordPress for public-facing portals and content management; (2) Banking and financial services sector using WordPress for customer-facing websites and informational portals; (3) Healthcare institutions publishing medical information and patient resources; (4) E-commerce and retail businesses under SAMA oversight; (5) Educational institutions and universities. The vulnerability is particularly concerning for organizations with multiple content contributors, as any Contributor-level user can inject persistent malicious content affecting all visitors. Saudi organizations should prioritize assessment of WordPress plugin inventory and contributor access controls.
🏢 Affected Saudi Sectors
Government & Public Administration
Banking & Financial Services
Healthcare & Medical Services
E-commerce & Retail
Education & Universities
Telecommunications
Energy & Utilities
Media & Publishing
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
6.8
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Audit all WordPress sites using WPBakery Page Builder Addons by Livemesh plugin to identify current version
2. Review user access logs for Contributor-level and above accounts to identify potential unauthorized modifications
3. Scan all pages/posts containing [lvca_carousel] and [lvca_posts_carousel] shortcodes for suspicious attributes or script injections
4. Restrict Contributor-level access to only trusted personnel until patch is available
COMPENSATING CONTROLS (until patch available):
5. Disable the plugin entirely if not critical to operations, or restrict its use to Administrator-only accounts
6. Implement Web Application Firewall (WAF) rules to detect and block single-quote injection attempts in shortcode attributes
7. Enable WordPress security plugins (e.g., Wordfence, Sucuri) with real-time malware scanning
8. Implement Content Security Policy (CSP) headers to restrict inline script execution
9. Use WordPress user role management to limit Contributor access to essential personnel only
10. Enable audit logging for all post/page modifications
DETECTION RULES:
- Monitor for modifications to posts/pages containing lvca_carousel or lvca_posts_carousel shortcodes
- Alert on single-quote characters (') in shortcode attribute values
- Track changes by Contributor-level accounts to published content
- Monitor for unusual JavaScript patterns in page content (script tags, event handlers)
PATCHING:
- Monitor plugin repository for security update to version 3.9.5 or later
- Test patch in staging environment before production deployment
- Apply patch immediately upon availability
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تدقيق جميع مواقع WordPress التي تستخدم مكون WPBakery Page Builder Addons by Livemesh لتحديد الإصدار الحالي
2. مراجعة سجلات وصول المستخدمين لحسابات مستوى المساهم وما فوقه لتحديد التعديلات المحتملة غير المصرح بها
3. فحص جميع الصفحات/المنشورات التي تحتوي على اختصارات [lvca_carousel] و [lvca_posts_carousel] بحثاً عن سمات مريبة أو حقن نصوص برمجية
4. تقييد وصول مستوى المساهم إلى الموظفين الموثوقين فقط حتى يتوفر التصحيح
الضوابط البديلة (حتى يتوفر التصحيح):
5. تعطيل المكون بالكامل إذا لم يكن حرجاً للعمليات، أو تقييد استخدامه على حسابات المسؤول فقط
6. تنفيذ قواعد جدار حماية تطبيقات الويب (WAF) للكشف عن محاولات حقن علامات الاقتباس الفردية وحجبها
7. تفعيل مكونات أمان WordPress (مثل Wordfence و Sucuri) مع المسح الفوري للبرامج الضارة
8. تنفيذ رؤوس سياسة أمان المحتوى (CSP) لتقييد تنفيذ النصوص البرمجية المضمنة
9. استخدام إدارة أدوار مستخدمي WordPress لتقييد وصول المساهم على الموظفين الأساسيين فقط
10. تفعيل تسجيل التدقيق لجميع تعديلات المنشورات/الصفحات
قواعد الكشف:
- مراقبة التعديلات على المنشورات/الصفحات التي تحتوي على اختصارات lvca_carousel أو lvca_posts_carousel
- تنبيه على أحرف علامات الاقتباس الفردية (') في قيم سمات الاختصار
- تتبع التغييرات بواسطة حسابات مستوى المساهم للمحتوى المنشور
- مراقبة أنماط JavaScript غير العادية في محتوى الصفحة (علامات النصوص البرمجية ومعالجات الأحداث)
التصحيح:
- مراقبة مستودع المكون للحصول على تحديث أمان للإصدار 3.9.5 أو أحدث
- اختبار التصحيح في بيئة التجريب قبل نشره في الإنتاج
- تطبيق التصحيح فوراً عند توفره
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.14.2.1 - Information security requirements for supplier relationships (plugin vendor security)
ECC 2024 A.14.2.5 - Addressing information security in supplier agreements
ECC 2024 A.12.6.1 - Management of technical vulnerabilities
ECC 2024 A.12.2.1 - Establishment of information security baselines
🔵 SAMA CSF
Governance & Risk Management - Vulnerability Management
Information & Cyber Security - Application Security
Information & Cyber Security - Security Monitoring & Incident Response
Operational Resilience - Business Continuity & Disaster Recovery
🟡 ISO 27001:2022
ISO 27001:2022 A.12.6.1 - Management of technical vulnerabilities
ISO 27001:2022 A.14.2.1 - Supplier security requirements
ISO 27001:2022 A.5.23 - Information security for supplier relationships
ISO 27001:2022 A.8.2.3 - Segregation of duties
🟣 PCI DSS v4.0.1
PCI DSS 6.2 - Ensure security patches are installed within defined timeframe
PCI DSS 6.5.7 - Cross-site scripting (XSS) prevention
PCI DSS 2.2.4 - Configure system security parameters to prevent misuse
🔗 References & Sources 3
🔗
🔗
🔗
https://plugins.trac.wordpress.org/browser/addons-for-visual-composer/tags/3.9.4/includ...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/addons-for-visual-composer/tags/3.9.4/includ...
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/ac1493dc-a90a-4427-a631-af5da...
security@wordfence.com