WordPress Plugin Vulnerabilities

Beaver Builder < 2.9.4.2 - Contributor+ Remote Code Execution

Description

The plugin is vulnerable to Remote Code Execution. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.

Affects Plugins

Plugin icon
beaver-builder-lite-version
Fixed in 2.9.4.2

References

CVE
CVE-2025-69319
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/8dd3e94d-4397-4f8e-af21-b12e87e0cfb8

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
7.2 (high)

Miscellaneous

Original Researcher
Drew Webber (mcdruid)
Verified
No
WPVDB ID
22b9f8e9-15b9-42ae-807f-0855b9a6f8f8

Timeline

Publicly Published
2026-01-21 (about 3 months ago)
Added
2026-01-28 (about 3 months ago)
Last Updated
2026-01-28 (about 3 months ago)

Other

Published
Title
Published
2024-09-30
Title
Iconize <= 1.2.4 - Authenticated (Admin+) Remote Code Execution
Published
2023-09-15
Title
Allow PHP in Posts and Pages < 3.0.4 - Authenticated Remote Code Execution (RCE)
Published
2024-05-23
Title
Email Log < 2.4.9 - Unauthenticated Hook Injection
Published
2025-04-25
Title
Anps Theme plugin < 1.1.2 - Unauthenticated Arbitrary Shortcode Execution
Published
2025-11-10
Title
Holiday class post calendar < 7.2 - Unauthenticated Remote Code Execution via 'contents'