vulnerability

WordPress Plugin: beaver-builder-lite-version: CVE-2025-11726: Missing Authorization

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
4	(AV:N/AC:L/Au:S/C:N/I:P/A:N)	Dec 1, 2025	Dec 2, 2025	Dec 3, 2025

Severity

CVSS

(AV:N/AC:L/Au:S/C:N/I:P/A:N)

Published

Dec 1, 2025

Added

Dec 2, 2025

Modified

Dec 3, 2025

Description

The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.9.4. This is due to insufficient capability checks in the REST API endpoints under the 'fl-controls/v1' namespace that control site-wide Global Presets. This makes it possible for authenticated attackers with contributor-level access and above to add, modify, or delete global color and background presets that affect all Beaver Builder content site-wide.

Solution

beaver-builder-lite-version-plugin-cve-2025-11726

References

URL-https://www.cve.org/CVERecord?id=CVE-2025-11726
URL-https://www.wordfence.com/threat-intel/vulnerabilities/id/b797e141-a9d2-48c4-a44e-a59a80a90a5b?source=api-prod
CVE-2025-11726
https://attackerkb.com/topics/CVE-2025-11726
CWE-862

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today