Deserialization of untrusted data in Beaver Builder WordPress Assistant plugin allows an attacker to inject PHP objects, potentially enabling arbitrary code execution or other malicious actions. The vulnerability arises when the plugin deserializes client‑supplied input without proper validation, giving an adversary control over object properties and execution flow. This flaw could compromise the confidentiality, integrity, and availability of the affected WordPress site if successfully exploited.

All installations of the WordPress Assistant plugin from Beaver Builder with version 1.5.1 or earlier are affected. The vulnerability applies to every site using the plugin regardless of the WordPress core version, as the flaw resides in the plugin code itself.

The CVSS base score of 7.2 indicates a high severity, while the EPSS score of less than 1% shows that exploitation is currently considered unlikely. The flaw is not listed in the CISA KEV catalog, meaning no known active exploits have been reported. Based on the description, it is inferred that an attacker would need to supply crafted input that triggers the vulnerable deserialization logic, which could be achieved via a special HTTP request or through an authenticated user’s request if the plugin accepts user data. The likely attack vector is the injection of malicious serialized data into the plugin's inputs. The lack of high EPSS suggests that the threat remains moderate until an exploit becomes available.