CVE-2022-2934 MEDIUM

CVE-2022-2934: Beaver Builder – WordPress Page Builder <= 2.5.5.2 - Authenticated Stored Cross-Site Scripting via Image URL

Vendor Justinbusa
Product Beaver Builder – WordPress Page Builder
Weakness CWE-79 · XSS
Published September 6, 2022
Last update February 7, 2025
View on NVD All CVEs

CVSS base score

6.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

The Beaver Builder – WordPress Page Builder for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Image URL' value found in the Media block in versions up to, and including, 2.5.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with access to the Beaver Builder editor to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Key dates

02Disclosure timeline

September 6, 2022 CVE published
February 7, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2020-36858 Nagios Log Server < 2.1.6 XSS via Create User, Edit User, & Manage Host Lists Pages CVE-2021-36863 WordPress Quiz And Survey Master plugin <= 7.3.4 - Auth. Stored Cross-Site Scripting (XSS) vulnerability CVE-2021-23285 Security issues in Eaton Intelligent Power Manager Infrastructure CVE-2025-32171 WordPress Table Block by Tableberg plugin <= 0.6.10 - Cross Site Scripting (XSS) vulnerability CVE-2025-2544 AI Content Pipelines <= 1.6 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload