Description
WordPress Ultimate Addons for Beaver Builder 1.2.4.1 contains an authentication bypass vulnerability that allows attackers to gain unauthorized access by exploiting the social media login form functionality. Attackers can submit a POST request to the admin-ajax.php endpoint with the uabb-lf-google-submit action, a valid administrator email address, and a valid nonce to obtain session cookies and authenticate as that user.
Published: 2026-06-20
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WordPress Ultimate Addons for Beaver Builder version 1.2.4.1 contains an authentication bypass vulnerability that allows an attacker to gain administrative session cookies by submitting a crafted POST request to the admin-ajax.php endpoint with the uabb-lf-google-submit action, a valid administrator email, and a valid nonce. This flaw reflects CWE‑288, Improper Authentication, and enables attackers to impersonate privileged users, compromising the confidentiality and integrity of the WordPress site.

Affected Systems

Any WordPress site that has the Ultimate Addons for Beaver Builder plugin, version 1.2.4.1, installed is affected. The plugin is developed by Ultimatebeaver and is commonly used to extend Beaver Builder functionality.

Risk and Exploitability

The CVSS score of 9.3 classifies this as a critical issue, underscoring the high impact of a successful exploit. The EPSS score is not available, so the current likelihood of exploitation cannot be quantified, but the fact that the vulnerability is remotely exploitable via a public HTTP request raises the risk considerably. The vulnerability is not listed in the CISA KEV catalog. Attackers can use the social media login form to trigger the flaw, meaning that the attack requires network access to the target site and knowledge of a valid administrator email and nonce. Once the attacker obtains the session cookie, they can access all administrative capabilities of the site.

Generated by OpenCVE AI on June 20, 2026 at 15:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Ultimate Addons for Beaver Builder plugin to the latest patched version as soon as it becomes available
  • If an update cannot be applied immediately, disable the social media login feature to prevent exploitation via the uabb-lf-google-submit action
  • Monitor the admin‑ajax.php endpoint for anomalous POST requests and review authentication logs for unauthorized session cookies

Generated by OpenCVE AI on June 20, 2026 at 15:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 20 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description WordPress Ultimate Addons for Beaver Builder 1.2.4.1 contains an authentication bypass vulnerability that allows attackers to gain unauthorized access by exploiting the social media login form functionality. Attackers can submit a POST request to the admin-ajax.php endpoint with the uabb-lf-google-submit action, a valid administrator email address, and a valid nonce to obtain session cookies and authenticate as that user.
Title WordPress Ultimate Addons for Beaver Builder 1.2.4.1 Authentication Bypass
Weaknesses CWE-288
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-20T13:36:32.595Z

Reserved: 2026-06-20T13:30:11.594Z

Link: CVE-2019-25763

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T16:00:06Z

Weaknesses
  • CWE-288

    Authentication Bypass Using an Alternate Path or Channel