Description
The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the 'duplicate_wpml_layout' function in all versions up to, and including, 2.9.4.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary posts with the content of other existing posts, potentially exposing private and password-protected content and deleting any content that is not saved in revisions or backups. Posts must have been created with Beaver Builder to be copied or updated.
Published: 2025-12-23
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Post Modification
Action: Patch Now
AI Analysis

Impact

The Beaver Builder plugin contains a missing capability check in the duplicate_wpml_layout function. Authenticated users with a Subscriber role or higher can invoke this function to replace the content of any Beaver Builder post with that of another post. This allows the attacker to expose private or password‑protected information and to delete content that is not preserved in revisions or backups. The flaw directly compromises data integrity and confidentiality of posts created with Beaver Builder.

Affected Systems

WordPress sites running any version of the Beaver Builder Page Builder – Drag and Drop Website Builder plugin up to and including 2.9.4.1 are vulnerable. Any post created with Beaver Builder can be duplicated or overwritten by users who have Subscriber-level access or higher.

Risk and Exploitability

The CVSS score of 8.1 classifies this issue as high severity, while the EPSS score of less than 1% indicates a low but non‑zero likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires only an authenticated WordPress login with Subscriber or greater privileges; the attacker can trigger the flawed function via the WordPress admin interface without needing elevated system privileges or remote code execution.

Generated by OpenCVE AI on April 21, 2026 at 16:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Beaver Builder plugin to a version newer than 2.9.4.1 that implements the missing capability check for duplicate_wpml_layout.
  • If an immediate upgrade is not possible, restrict the Subscriber role by removing the edit_posts capability using a role‑editor plugin so that these users cannot modify Beaver Builder posts.
  • Periodically review post content and WordPress admin logs for unexpected duplication or overwrite actions, and ensure regular backups are in place to recover any lost content.

Generated by OpenCVE AI on April 21, 2026 at 16:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Dec 2025 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 23 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 23 Dec 2025 09:30:00 +0000

Type Values Removed Values Added
Description The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the 'duplicate_wpml_layout' function in all versions up to, and including, 2.9.4.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary posts with the content of other existing posts, potentially exposing private and password-protected content and deleting any content that is not saved in revisions or backups. Posts must have been created with Beaver Builder to be copied or updated.
Title Beaver Builder – WordPress Page Builder <= 2.9.4.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Update
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:18:40.037Z

Reserved: 2025-11-09T21:45:35.493Z

Link: CVE-2025-12934

cve-icon Vulnrichment

Updated: 2025-12-23T15:24:23.794Z

cve-icon NVD

Status : Deferred

Published: 2025-12-23T10:15:42.953

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12934

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T17:00:12Z

Weaknesses