WordPress Plugin Vulnerabilities

Beaver Builder – WordPress Page Builder < 2.9.4.1 - Missing Authorization to Authenticated (Contributor+) Builder Status Tampering

Description

The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.9.4. This is due to the plugin not properly verifying a user's authorization in the disable() function. This makes it possible for authenticated attackers, with contributor level access and above, to disable the Beaver Builder layout on arbitrary posts and pages, causing content integrity issues and layout disruption on those pages.

Affects Plugins

Plugin icon
beaver-builder-lite-version
Fixed in 2.9.4.1

References

CVE
CVE-2025-12782
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/710ed734-ca98-4ab3-82d5-359e683ee062

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Athiwat Tiprasaharn (Jitlada), Itthidej Aramsri (Boeing777), Powpy, Waris Damkham
Verified
No
WPVDB ID
ef9071d3-e184-4fa2-a925-7d9860793681

Timeline

Publicly Published
2025-12-03 (about 5 months ago)
Added
2025-12-03 (about 5 months ago)
Last Updated
2025-12-04 (about 5 months ago)

Other

Published
Title
Published
2025-04-16
Title
Bring Fraktguiden for WooCommerce < 1.11.5 - Missing Authorization
Published
2025-11-30
Title
CatFolders < 2.5.4 - Missing Authorization
Published
2025-03-27
Title
Big Store < 2.0.9 - Missing Authorization
Published
2026-04-13
Title
Easy Appointments < 3.12.22 - Missing Authorization
Published
2026-02-17
Title
Compress < 6.60.29 - Missing Authorization