Description
The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.9.4 via the 'get_attachment_sizes' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including the path and meta data of private attachments, which can be used to view the attachments.
Published: 2025-12-09
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Information Exposure
Action: Apply Patch
AI Analysis

Impact

The Beaver Builder – WordPress Page Builder plugin contains a vulnerability in the get_attachment_sizes function that allows authenticated users with Contributor or higher permissions to read the file path and metadata of private attachments, resulting in the disclosure of sensitive media information that can enable an attacker to view private files or infer their location.

Affected Systems

WordPress sites that have installed Beaver Builder Page Builder – Drag and Drop Website Builder version 2.9.4 or earlier are affected. The plugin is sold by Fastlinemedia under the Beaver Builder Lite bundle, so all earlier releases prior to 2.9.5 may expose private attachment paths.

Risk and Exploitability

The CVSS v3.1 score of 4.3 indicates medium severity, while the EPSS score of less than 1% suggests low likelihood of exploitation. The vulnerability is not listed in CISA KEV, implying no widespread attacks have been reported. Exploitation requires a valid authenticated session with Contributor-level access or higher, so sites that allow contributors to access private media could be at risk of confidential file disclosure.

Generated by OpenCVE AI on April 22, 2026 at 00:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Beaver Builder to a version newer than 2.9.4, which removes the vulnerable get_attachment_sizes function.
  • Restrict Contributor and higher role permissions so that users without a business need cannot access private media, thereby limiting the attack surface.
  • Review and tighten file permissions or server configuration to prevent direct access to private attachment URLs outside of the plugin context, such as using .htaccess rules or equivalent server-level controls.

Generated by OpenCVE AI on April 22, 2026 at 00:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Dec 2025 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Fastlinemedia
Fastlinemedia beaver Builder
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:fastlinemedia:beaver_builder:*:*:*:*:lite:wordpress:*:*
Vendors & Products Fastlinemedia
Fastlinemedia beaver Builder

Wed, 10 Dec 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 09 Dec 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Dec 2025 14:00:00 +0000

Type Values Removed Values Added
Description The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.9.4 via the 'get_attachment_sizes' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including the path and meta data of private attachments, which can be used to view the attachments.
Title Beaver Builder – WordPress Page Builder <= 2.9.4 - Authenticated (Contributor+) Sensitive Information Exposure
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Fastlinemedia Beaver Builder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:31:10.471Z

Reserved: 2025-10-31T17:03:15.524Z

Link: CVE-2025-12558

cve-icon Vulnrichment

Updated: 2025-12-09T14:15:09.044Z

cve-icon NVD

Status : Analyzed

Published: 2025-12-09T16:17:34.243

Modified: 2025-12-11T17:44:04.650

Link: CVE-2025-12558

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T00:30:04Z

Weaknesses