CVE-2024-2925: 
WordPress vulnerability analysis and mitigation

The Beaver Builder – WordPress Page Builder plugin (CVE-2024-2925) contains a Stored Cross-Site Scripting vulnerability in its Button Widget component, affecting all versions up to and including 2.8.0.5. The vulnerability was disclosed on April 2, 2024, and impacts WordPress installations using the affected plugin versions (NVD).

The vulnerability stems from insufficient input sanitization and output escaping on user-supplied attributes in the plugin's Button Widget component. The issue has been assigned a CVSS v3.1 base score of 5.4 (Medium) by NIST with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while Wordfence assessed it at 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to unauthorized actions and data exposure (NVD).

Users should update their Beaver Builder plugin to a version newer than 2.8.0.5. The vulnerability has been patched, as evidenced by the changes in the plugin's source code (WordPress Plugin).