Primary

Context

Beaver Builder WordPress Page Builder Missing Authorization Vulnerability in REST API Endpoints

Vulnerability

A missing authorization vulnerability has been identified in the Beaver Builder WordPress Page Builder plugin, affecting all versions through 2.9.4. The issue arises from inadequate capability checks in the REST API endpoints under the 'fl-controls/v1' namespace, which manage site-wide Global Presets. This vulnerability allows authenticated attackers with contributor-level access and above to add, modify, or delete global color and background presets, impacting all Beaver Builder content across the site.

Impact

Exploitation of this vulnerability allows for unauthorized modification of global color and background presets, which can disrupt the appearance and consistency of Beaver Builder content site-wide.

Remediation

Users can update to version 2.9.4.1 or a newer patched version to address this vulnerability.

Added: Dec 2, 2025, 8:20 AM

Updated: Dec 2, 2025, 8:20 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

5.9

remediation

7.7

relevance

1.3

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

5.9

remediation

7.7

relevance

1.3

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Beaver Builder WordPress Page Builder Missing Authorization Vulnerability in REST API Endpoints

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating