CVE-2025-11726
📋 TL;DR
The Beaver Builder WordPress plugin has a missing authorization vulnerability that allows authenticated users with contributor-level access or higher to modify global color and background presets that affect all Beaver Builder content site-wide. This affects all versions up to and including 2.9.4. Attackers can add, modify, or delete these presets through insufficiently protected REST API endpoints.
💻 Affected Systems
- Beaver Builder – WordPress Page Builder
📦 What is this software?
Beaver Builder by Fastlinemedia
⚠️ Risk & Real-World Impact
Worst Case
An attacker with contributor access could modify global presets to inject malicious CSS/JavaScript, potentially leading to site defacement, credential theft via phishing, or content manipulation affecting all Beaver Builder pages.
Likely Case
Malicious contributors or compromised accounts could alter site appearance, disrupt design consistency, or inject minor malicious content through preset modifications.
If Mitigated
With proper user access controls and monitoring, impact is limited to authorized users making legitimate preset changes.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward via REST API calls to vulnerable endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.9.5
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Beaver Builder plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 2.9.5+ from WordPress plugin repository and manually update.
🔧 Temporary Workarounds
Restrict REST API Access
allTemporarily restrict access to vulnerable REST API endpoints using security plugins or .htaccess rules.
# Add to .htaccess or web server config to block fl-controls/v1 endpoints
RewriteRule ^wp-json/fl-controls/v1/.*$ - [F,L]
Limit Contributor Roles
allTemporarily elevate contributor users to higher roles only when necessary and monitor their activities.
🧯 If You Can't Patch
- Implement strict user access controls and review contributor-level permissions.
- Monitor REST API logs for suspicious activity targeting fl-controls/v1 endpoints.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Beaver Builder version. If version is 2.9.4 or lower, system is vulnerable.Check Version:
wp plugin list --name=beaver-builder --field=versionVerify Fix Applied:
Verify Beaver Builder plugin version is 2.9.5 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- REST API requests to /wp-json/fl-controls/v1/ endpoints from non-admin users
- Unauthorized modifications to Beaver Builder global presets
Network Indicators:
- HTTP POST/PUT/DELETE requests to /wp-json/fl-controls/v1/* endpoints
SIEM Query:
source="wordpress_logs" AND (uri_path="/wp-json/fl-controls/v1/*" AND user_role!="administrator")🔗 References
- https://plugins.trac.wordpress.org/browser/beaver-builder-lite-version/trunk/classes/class-fl-controls.php#L252
- https://plugins.trac.wordpress.org/browser/beaver-builder-lite-version/trunk/classes/class-fl-controls.php#L53
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3406987%40beaver-builder-lite-version&new=3406987%40beaver-builder-lite-version&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/b797e141-a9d2-48c4-a44e-a59a80a90a5b?source=cve
