CVE-2026-3895
Description
The WPBakery Page Builder Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `lvca_admin_ajax` AJAX action in all versions up to, and including, 3.9.4 due to missing authorization checks and insufficient input sanitization. The AJAX handler verifies a nonce but does not check user capabilities. This makes it possible for authenticated attackers with Subscriber-level access and above to modify plugin settings and inject malicious scripts that execute when administrators access the plugin settings page or when any user visits the frontend.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No vendor mitigations ingested yet for this CVE. The mitigation-content worker queues fetches as references arrive — check back in a few minutes, or see the references list below.
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/ff0d4000-020b-4e22-9362-a8f0f5df321e?source=cve
- https://plugins.trac.wordpress.org/browser/addons-for-visual-composer/tags/3.9.4/admin/admin-ajax.php#L64
- https://plugins.trac.wordpress.org/browser/addons-for-visual-composer/tags/3.9.4/includes/helper-functions.php#L256
- https://plugins.trac.wordpress.org/browser/addons-for-visual-composer/tags/3.9.4/admin/views/settings.php#L568
CWEs
CWE-862
💬 Discuss CVE-2026-3895 on VIR Community →
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.