4.3

CVE-2025-11726

EPSS 0.04%
Veröffentlicht 02.12.2025 07:24:31
Zuletzt bearbeitet 11.12.2025 20:27:36
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

Beaver Builder – WordPress Page Builder <= 2.9.4 - Missing Authorization to Authenticated (Contributor+) Global Preset Modification

The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.9.4. This is due to insufficient capability checks in the REST API endpoints under the 'fl-controls/v1' namespace that control site-wide Global Presets. This makes it possible for authenticated attackers with contributor-level access and above to add, modify, or delete global color and background presets that affect all Beaver Builder content site-wide.

Mögliche Gegenmaßnahme

Beaver Builder Page Builder – Drag and Drop Website Builder: Update to version 2.9.4.1, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 8

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt Beaver Builder Page Builder – Drag and Drop Website Builder

Version *-2.9.4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Fastlinemedia ≫ Beaver Builder SwEditionlite SwPlatformwordpress Version < 2.9.4.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.04%	0.122

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@wordfence.com	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://www.wordfence.com/threat-intel/vulnerabilities/id/b797e141-a9d2-48c4-a44e-a59a80a90a5b?source=cve

Third Party Advisory

https://plugins.trac.wordpress.org/browser/beaver-builder-lite-version/trunk/classes/class-fl-controls.php#L53

Product

https://plugins.trac.wordpress.org/browser/beaver-builder-lite-version/trunk/classes/class-fl-controls.php#L252

Product

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3406987%40beaver-builder-lite-version&new=3406987%40beaver-builder-lite-version&sfp_email=&sfph_mail=

Patch

https://www.wordfence.com/threat-intel/vulnerabilities/id/b797e141-a9d2-48c4-a44e-a59a80a90a5b

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-11726

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-11726

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-11726

EUVD