WordPress Plugin Vulnerabilities

Beaver Builder – WordPress Page Builder < 2.9.4.1 - Missing Authorization to Authenticated (Contributor+) Global Preset Modification

Description

The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.9.4. This is due to insufficient capability checks in the REST API endpoints under the 'fl-controls/v1' namespace that control site-wide Global Presets. This makes it possible for authenticated attackers with contributor-level access and above to add, modify, or delete global color and background presets that affect all Beaver Builder content site-wide.

Affects Plugins

Plugin icon
beaver-builder-lite-version
Fixed in 2.9.4.1

References

CVE
CVE-2025-11726
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/b797e141-a9d2-48c4-a44e-a59a80a90a5b

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Athiwat Tiprasaharn (Jitlada)
Verified
No
WPVDB ID
74c498c5-c547-4264-98fa-6133e4f898fa

Timeline

Publicly Published
2025-12-01 (about 5 months ago)
Added
2025-12-01 (about 5 months ago)
Last Updated
2025-12-02 (about 5 months ago)

Other

Published
Title
Published
2025-05-19
Title
Projectopia < 5.1.18 - Missing Authorization
Published
2025-04-07
Title
Spider Elements – Addons for Elementor < 1.6.7 - Missing Authorization
Published
2024-02-14
Title
InstaWP Connect < 0.1.0.9 - Authenticated (Subscriber+) Remote Code Execution
Published
2022-08-16
Title
Calendar Event Multi View < 1.4.07 - Unauthenticated Arbitrary Event Creation to Stored XSS
Published
2026-02-18
Title
Image Photo Gallery Final Tiles Grid < 3.6.11 - Missing Authorization