Question 1

What exactly is the vulnerability in Beaver Builder?

Accepted Answer

What exactly is the vulnerability in Beaver Builder?

The vulnerability is a stored cross-site scripting (XSS) issue that allows authenticated users with at least Contributor access to inject malicious JavaScript code into Beaver Builder pages and posts. When ordinary visitors load an infected page, the malicious scripts execute in their browser session enabling the hacker to potentially steal session cookies, take over accounts, or deface the site.

Question 2

Which Beaver Builder versions are affected?

Accepted Answer

Which Beaver Builder versions are affected?

Beaver Builder versions up to and including 2.7.4.2 contain this vulnerability. Versions since 2.7.4.3 have the fix applied and are secure.

Question 3

How serious is this Beaver Builder vulnerability?

Accepted Answer

How serious is this Beaver Builder vulnerability?

This vulnerability is quite serious, scoring a 6.4 CVSS severity rating. While exploitation requires an authenticated user account, many sites grant Contributor access more freely. And the impacts of XSS attacks can be significant. However, Beaver Builder's rapid response in issuing a patch should help limit danger.

Question 4

Is updating Beaver Builder enough to secure my site?

Accepted Answer

Is updating Beaver Builder enough to secure my site?

Updating Beaver Builder plugins to the latest fixed version is the first critical step. You should also check for signs of existing compromise like injected scripts or malware. Good additional security practices are enabling auto-updates for plugins, limiting Contributor permissions, adding a Web Application Firewall, and regularly scanning for vulnerabilities.

Question 5

I use Beaver Builder - how do I update?

Accepted Answer

I use Beaver Builder - how do I update?

To update Beaver Builder, first backup your site. Then log in to your WordPress dashboard. Go to Plugins > Installed Plugins and click Update next to Beaver Builder to download the new fixed 2.7.4.3 files. Or click Delete and reinstall if the update isn't showing.

Question 6

Should I find an alternate to Beaver Builder due to this vulnerability?

Accepted Answer

Should I find an alternate to Beaver Builder due to this vulnerability?

While other page builder plugins like Elementor avoid this particular issue, all software has some vulnerability risk. Beaver Builder's response of promptly patching this bug is respectable. You may consider alternatives, but Beaver Builder remains a solid choice updated.

Question 7

What if I suspect my site was already hacked using this vulnerability?

Accepted Answer

What if I suspect my site was already hacked using this vulnerability?

If you have signs of existing compromise like unexpected user accounts, defaced pages, or strange site behavior, take the site offline immediately. Restore from backups made before exploitation occurred. Scan for malware. Reset all passwords. And consider contacting a security professional for additional investigation and hardening.

Question 8

Why do vulnerabilities like this keep happening with WordPress plugins?

Accepted Answer

Why do vulnerabilities like this keep happening with WordPress plugins?

The open source nature of WordPress and its plugins, while empowering, introduces security risks that closed software avoids. The large plugin ecosystem's variability in code quality and release pacing also plays a role. While standards are improving, vulnerabilities continue being all too common.

Question 9

Should I avoid using plugins because of security issues?

Accepted Answer

Should I avoid using plugins because of security issues?

Plugins remain highly useful WordPress tools that are worth careful use. Practicing prudence by vetting plugin reputation and code quality first, limiting plugins installed, keeping them updated, and hardening configurations can reap plugin benefits while minimizing, though not eliminating, security risks.

Question 10

Who discovered and reported this Beaver Builder plugin vulnerability?

Accepted Answer

Who discovered and reported this Beaver Builder plugin vulnerability?

This vulnerability was discovered and responsibly reported by a security researcher using the handle RandomRoot. Discovering and disclosing bugs appropriately allows them to get fixed, improving software security and the greater good of internet users. Many vulnerabilities are discovered by researchers rather than software vendors themselves.

web application firewall

Beaver Builder Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2024-0897 | WordPress Plugin Vulnerability Report

Recent Blog Posts

LiteSpeed Cache Vulnerability – Unauthenticated Sensitive Information Exposure via Log Files – CVE-2024-44000 | WordPress Plugin Vulnerability Report

Elementor Addon Elements Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Parameters – CVE-2024-4401, CVE-2024-7122 | WordPress Plugin Vulnerability Report

The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid Vulnerability – Authenticated (Contributor+) Information Disclosure – CVE-2024-7418 | WordPress Plugin Vulnerability Report

Additional Resources

About Your WP Guy