CVE-2024-0871 in Beaver Builder Plugin
Summary
by MITRE • 03/13/2024
The Beaver Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Icon Widget 'fl_builder_data[node_preview][link]' and 'fl_builder_data[settings][link_target]' parameters in all versions up to, and including, 2.7.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/19/2025
The vulnerability identified as CVE-2024-0871 affects the Beaver Builder plugin for WordPress, specifically targeting versions up to and including 2.7.4.2. This represents a critical stored cross-site scripting vulnerability that exploits the Icon Widget functionality within the plugin's data handling mechanisms. The flaw manifests through two primary parameters: 'fl_builder_data[node_preview][link]' and 'fl_builder_data[settings][link_target]' which are processed without adequate input sanitization or output escaping measures. The vulnerability's severity is amplified by the fact that it requires only contributor-level access or higher to exploit, making it particularly dangerous in environments where multiple users with varying permission levels have access to the WordPress administration interface.
The technical implementation of this vulnerability stems from insufficient validation of user-supplied data within the plugin's processing pipeline. When administrators or contributors with appropriate privileges create or modify content using the Icon Widget, the plugin fails to properly sanitize the link parameters before storing them in the database. This stored data is then subsequently retrieved and rendered without proper HTML escaping, creating an environment where malicious scripts can persist and execute whenever legitimate users view pages containing the compromised content. The vulnerability operates as a classic stored XSS attack where the malicious payload is embedded in the application's database rather than being transmitted through a single request, making it particularly persistent and difficult to detect.
From an operational impact perspective, this vulnerability creates significant risks for WordPress sites utilizing the Beaver Builder plugin. An attacker with contributor privileges can inject malicious scripts that execute in the context of other users' browsers, potentially leading to session hijacking, credential theft, or further compromise of the affected WordPress installation. The attack vector is particularly concerning because it leverages legitimate administrative functionality, making malicious activity harder to distinguish from normal user behavior. The stored nature of the vulnerability means that once exploited, the malicious code will persist until manually removed from the database, potentially affecting all users who access pages containing the compromised content. This vulnerability directly maps to CWE-79 which describes improper neutralization of input during web page generation, and aligns with ATT&CK technique T1566.001 for initial access through spearphishing attachments or links.
The mitigation strategy for CVE-2024-0871 requires immediate attention from WordPress administrators and security teams. The primary recommendation is to update the Beaver Builder plugin to version 2.7.4.3 or later, which contains the necessary patches to address the input sanitization and output escaping deficiencies. In addition to the mandatory update, organizations should implement comprehensive monitoring of user activity within the WordPress administration interface, particularly focusing on modifications made to content elements that utilize the Icon Widget functionality. Security teams should also consider implementing additional input validation measures at the web application firewall level and conduct thorough security reviews of all plugins and themes to identify similar vulnerabilities. Organizations should also ensure that user permissions are strictly enforced and that only trusted individuals have contributor-level access or higher to prevent unauthorized exploitation of this vulnerability.