Description
The Beaver Builder Plugin (Starter Version) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘auto_play’ parameter in all versions up to, and including, 2.9.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-10-23
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

The Beaver Builder Plugin (Starter Version) contains a stored cross‑site scripting flaw triggered through the auto_play parameter. The vulnerability arises from insufficient input sanitization and output escaping, allowing an authenticated user with Contributor or higher privileges to embed arbitrary JavaScript in a page that is then rendered for every visitor who views that page.

Affected Systems

All editions of the Beaver Builder Plugin (Starter Version) for WordPress, including every release up to and including version 2.9.2.1, are affected. The flaw is documented by The Beaver Builder Team and listed in the vendor’s changelog.

Risk and Exploitability

The flaw has a CVSS score of 6.4, indicating moderate severity. The EPSS score is below 1%, suggesting a low probability of exploitation in the wild, and the vulnerability is not present in CISA’s KEV catalog. An attacker must first authenticate with Contributor-level or higher access; once authenticated, the attacker can store a malicious payload in the auto_play setting of a page, which will execute in the browsers of anyone who visits that page.

Generated by OpenCVE AI on April 20, 2026 at 21:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Beaver Builder Plugin (Starter Version) release, which removes the auto_play sanitization flaw.
  • If you cannot upgrade immediately, restrict the capability of Contributor and higher roles to edit pages that use the Beaver Builder plugin, or disable the auto_play feature where possible.
  • Deploy a Content Security Policy that blocks inline script execution to provide an additional defense against stored XSS payloads.

Generated by OpenCVE AI on April 20, 2026 at 21:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Dec 2025 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Fastlinemedia
Fastlinemedia beaver Builder
CPEs cpe:2.3:a:fastlinemedia:beaver_builder:*:*:*:*:lite:wordpress:*:*
Vendors & Products Fastlinemedia
Fastlinemedia beaver Builder

Fri, 24 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared The Beaver Builder Team
The Beaver Builder Team beaver Builder
Wordpress
Wordpress wordpress
Vendors & Products The Beaver Builder Team
The Beaver Builder Team beaver Builder
Wordpress
Wordpress wordpress

Thu, 23 Oct 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Oct 2025 13:00:00 +0000

Type Values Removed Values Added
Description The Beaver Builder Plugin (Starter Version) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘auto_play’ parameter in all versions up to, and including, 2.9.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Beaver Builder Plugin (Starter Version) <= 2.9.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'auto_play'
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Fastlinemedia Beaver Builder
The Beaver Builder Team Beaver Builder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:15:43.469Z

Reserved: 2025-07-31T17:54:38.284Z

Link: CVE-2025-8427

cve-icon Vulnrichment

Updated: 2025-10-23T13:40:29.419Z

cve-icon NVD

Status : Analyzed

Published: 2025-10-23T13:15:46.113

Modified: 2025-12-19T22:15:32.730

Link: CVE-2025-8427

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T21:45:18Z

Weaknesses