CVE-2024-43330 – This Cross-Site Scripting (XSS) vulnerability i... (How to Fix)

Q: What is the severity of CVE-2024-43330?

CVE-2024-43330 has a CVSS score of 7.1 (HIGH). This Cross-Site Scripting (XSS) vulnerability in PowerPack for Beaver Builder allows attackers to inject malicious scripts into web pages viewed by other users. It affects WordPress sites using the PowerPack plugin, potentially compromising user sessions and stealing sensitive data. All sites running vulnerable versions are at risk.

📋 TL;DR

This Cross-Site Scripting (XSS) vulnerability in PowerPack for Beaver Builder allows attackers to inject malicious scripts into web pages viewed by other users. It affects WordPress sites using the PowerPack plugin, potentially compromising user sessions and stealing sensitive data. All sites running vulnerable versions are at risk.

💻 Affected Systems

Products:

PowerPack for Beaver Builder WordPress Plugin

Versions: All versions before 2.37.4

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress with Beaver Builder and PowerPack plugin installed. No special configuration needed for exploitation.

📦 What is this software?

Powerpack For Beaver Builder by Ideabox

View all CVEs affecting Powerpack For Beaver Builder →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, take over WordPress sites, install backdoors, deface websites, or redirect visitors to malicious sites.

🟠

Likely Case

Session hijacking, cookie theft, credential harvesting, or displaying malicious content to users.

🟢

If Mitigated

Limited impact with proper input validation, output encoding, and Content Security Policy (CSP) headers in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Reflected XSS typically requires user interaction (clicking malicious link) but is easy to exploit once discovered.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.37.4

Vendor Advisory: https://patchstack.com/database/vulnerability/bbpowerpack/wordpress-powerpack-for-beaver-builder-plugin-2-37-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'PowerPack for Beaver Builder'. 4. Click 'Update Now' if available. 5. Alternatively, download version 2.37.4+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Temporary Plugin Deactivation

all

Disable the vulnerable plugin until patched

wp plugin deactivate bbpowerpack

Implement Content Security Policy

all

Add CSP headers to restrict script execution

Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Add to nginx config: add_header Content-Security-Policy "default-src 'self'; script-src 'self'";

🧯 If You Can't Patch

Disable PowerPack plugin completely until patched
Implement web application firewall (WAF) rules to block XSS payloads

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → PowerPack for Beaver Builder version. If version is below 2.37.4, you are vulnerable.

Check Version:

wp plugin get bbpowerpack --field=version

Verify Fix Applied:

Confirm plugin version is 2.37.4 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual GET/POST requests with script tags or JavaScript payloads
Multiple failed XSS attempts in web server logs

Network Indicators:

HTTP requests containing <script>, javascript:, or encoded XSS payloads in query parameters

SIEM Query:

source="web_logs" AND ("<script" OR "javascript:" OR "onload=" OR "onerror=") AND uri_path="*powerpack*"

📊 Metadata

CVE ID: CVE-2024-43330

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

CWE: CWE-79

Published: August 18, 2024

Last Updated: April 15, 2025

🔗 References

https://patchstack.com/database/vulnerability/bbpowerpack/wordpress-powerpack-for-beaver-builder-plugin-2-37-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-43330, you might also want to check these: