Description
Improper Control of Generation of Code ('Code Injection') vulnerability in Beaver Builder Beaver Builder beaver-builder-lite-version allows Code Injection.This issue affects Beaver Builder: from n/a through <= 2.9.4.1.
Published: 2026-01-22
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

WordPress Beaver Builder Lite version 2.9.4.1 contains an Improper Control of Generation of Code flaw identified as CWE‑94. The vulnerability permits an attacker to inject arbitrary PHP code into the plugin’s engine, which is then executed on the web server. This can lead to full compromise of the website's confidentiality, integrity, and availability.

Affected Systems

All installations of Beaver Builder Lite from the earliest release up to and including 2.9.4.1 are vulnerable. Sites using the plugin in a WordPress environment with these versions are susceptible until the plugin is updated.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, yet the EPSS value of less than 1% suggests that exploitation is currently uncommon. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector requires the ability to supply input that reaches the plugin’s code generation mechanism, such as adding or editing custom code widgets via the WordPress admin interface or compromising user credentials. This inference stems from the need to inject code into the plugin’s configuration, a capability typically restricted to administrators or users with elevated privileges. The potential for high‑impact exploitation remains if attackers gain sufficient access.

Generated by OpenCVE AI on April 28, 2026 at 18:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Beaver Builder to the latest version (>= 2.9.4.2) to eliminate the code injection flaw.
  • If an upgrade is not immediately possible, disable custom code widgets or restrict the ability to enter PHP code within Beaver Builder until a patch is applied.
  • Restrict WordPress administrative access to trusted users only and apply general site hardening practices such as strong passwords and two‑factor authentication.

Generated by OpenCVE AI on April 28, 2026 at 18:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 27 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpbeaverbuilder
Wpbeaverbuilder beaver Builder
Vendors & Products Wordpress
Wordpress wordpress
Wpbeaverbuilder
Wpbeaverbuilder beaver Builder

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Generation of Code ('Code Injection') vulnerability in Beaver Builder Beaver Builder beaver-builder-lite-version allows Code Injection.This issue affects Beaver Builder: from n/a through <= 2.9.4.1.
Title WordPress Beaver Builder plugin <= 2.9.4.1 - Arbitrary Code Execution vulnerability
Weaknesses CWE-94
References

Subscriptions

Wordpress Wordpress
Wpbeaverbuilder Beaver Builder
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:49:04.980Z

Reserved: 2025-12-31T20:12:13.401Z

Link: CVE-2025-69319

cve-icon Vulnrichment

Updated: 2026-01-27T18:20:17.692Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:27.713

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-69319

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T18:15:37Z

Weaknesses