Description
The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.9.4. This is due to the plugin not properly verifying a user's authorization in the disable() function. This makes it possible for authenticated attackers, with contributor level access and above, to disable the Beaver Builder layout on arbitrary posts and pages, causing content integrity issues and layout disruption on those pages.
Published: 2025-12-04
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authorization bypass allowing content tampering
Action: Patch immediately
AI Analysis

Impact

The Beaver Builder WordPress plugin fails to verify a user’s authorization when executing the disable() function. An authenticated user with contributor level or higher can therefore arbitrarily disable the Beaver Builder layout on any post or page. This results in loss of layout rendering and potential content integrity problems on those pages.

Affected Systems

All installations of the Beaver Builder Page Builder – Drag and Drop Website Builder plugin for WordPress up to and including version 2.9.4. The vulnerable code is present in the Lite version distributed via the WordPress plugin repository.

Risk and Exploitability

The CVSS score is 4.3, indicating a moderate impact and low exploitation risk. The EPSS score is below 1 %, and the vulnerability is not listed in CISA’s KEV catalog, suggesting that widespread exploitation is unlikely at present. Nonetheless, because the flaw requires an authenticated account with contributor or higher privileges, any internal user or compromised account could abuse the omission of an authorization check to disrupt page layout. Administrators should treat this as a low‑to‑moderate risk and apply the fix promptly.

Generated by OpenCVE AI on April 21, 2026 at 17:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Beaver Builder to version 2.9.5 or later.
  • If an update is not feasible, remove contributor level or higher privileges from users who should not be able to modify Beaver Builder layout settings.
  • Monitor WordPress logs for attempts to disable Beaver Builder layout on posts and pages and investigate any unauthorized activity.

Generated by OpenCVE AI on April 21, 2026 at 17:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Dec 2025 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Fastlinemedia
Fastlinemedia beaver Builder
CPEs cpe:2.3:a:fastlinemedia:beaver_builder:*:*:*:*:lite:wordpress:*:*
Vendors & Products Fastlinemedia
Fastlinemedia beaver Builder

Fri, 05 Dec 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 04 Dec 2025 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 04 Dec 2025 07:00:00 +0000

Type Values Removed Values Added
Description The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.9.4. This is due to the plugin not properly verifying a user's authorization in the disable() function. This makes it possible for authenticated attackers, with contributor level access and above, to disable the Beaver Builder layout on arbitrary posts and pages, causing content integrity issues and layout disruption on those pages.
Title Beaver Builder – WordPress Page Builder <= 2.9.4 - Missing Authorization to Authenticated (Contributor+) Builder Status Tampering
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Fastlinemedia Beaver Builder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:00:31.161Z

Reserved: 2025-11-05T22:08:55.570Z

Link: CVE-2025-12782

cve-icon Vulnrichment

Updated: 2025-12-05T17:21:24.952Z

cve-icon NVD

Status : Analyzed

Published: 2025-12-04T07:16:13.883

Modified: 2025-12-11T18:17:25.773

Link: CVE-2025-12782

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T18:00:11Z

Weaknesses