CVE-2024-11832: 
WordPress vulnerability analysis and mitigation

The Beaver Builder – WordPress Page Builder plugin for WordPress (versions up to 2.8.4.4) contains a Stored Cross-Site Scripting vulnerability (CVE-2024-11832) discovered in December 2024. The vulnerability exists in the custom JavaScript row settings due to insufficient input sanitization and output escaping (NVD).

The vulnerability is classified as a Stored Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 base score of 5.4 (Medium) according to NVD, and 6.4 (Medium) according to Wordfence. The attack vector is network-based (AV:N), requires low attack complexity (AC:L), low privileges (PR:L), and user interaction (UI:R) for successful exploitation (NVD).

When exploited, this vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever any user accesses the compromised page, potentially leading to unauthorized data access, session hijacking, or other client-side attacks (NVD).

Users should update their Beaver Builder plugin to a version newer than 2.8.4.4 to address this vulnerability. The fix has been implemented in subsequent versions to properly sanitize and escape user input in the custom JavaScript row settings (Wordfence).