CVE-2025-12558
📋 TL;DR
The Beaver Builder WordPress plugin up to version 2.9.4 contains an information disclosure vulnerability that allows authenticated users with Contributor-level access or higher to access metadata and paths of private attachments. This could enable attackers to view files that should be restricted. Only WordPress sites using vulnerable Beaver Builder versions are affected.
💻 Affected Systems
- Beaver Builder - WordPress Page Builder
📦 What is this software?
Beaver Builder by Fastlinemedia
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access sensitive private files containing confidential information, intellectual property, or personal data, leading to data breaches and regulatory violations.
Likely Case
Authenticated users with malicious intent could access private media files they shouldn't have permission to view, potentially exposing sensitive content.
If Mitigated
With proper access controls and monitoring, the impact is limited to authorized users who already have some level of access to the system.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once credentials are obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.9.5 and later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3406987
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Beaver Builder plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 2.9.5+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Restrict User Roles
allTemporarily limit or remove Contributor-level access until patching is complete.
Disable Beaver Builder
linuxTemporarily deactivate the plugin if not essential for site functionality.
wp plugin deactivate beaver-builder-lite-version
🧯 If You Can't Patch
- Implement strict access controls and monitor user activity for suspicious attachment access patterns.
- Use web application firewall rules to block requests to the vulnerable 'get_attachment_sizes' function endpoint.
🔍 How to Verify
Check if Vulnerable:
Check Beaver Builder plugin version in WordPress admin under Plugins > Installed Plugins. If version is 2.9.4 or lower, the system is vulnerable.Check Version:
wp plugin get beaver-builder-lite-version --field=versionVerify Fix Applied:
Verify plugin version is 2.9.5 or higher after update. Test with a Contributor-level account that access to private attachments is properly restricted.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to attachment endpoints by Contributor-level users
- Multiple requests to /wp-json/ endpoints related to media attachments
Network Indicators:
- HTTP requests to Beaver Builder API endpoints with parameters targeting attachment metadata
SIEM Query:
source="wordpress.log" AND ("get_attachment_sizes" OR "attachment" OR "private") AND user_role="contributor"🔗 References
- https://plugins.trac.wordpress.org/browser/beaver-builder-lite-version/trunk/classes/class-fl-controls.php#L216
- https://plugins.trac.wordpress.org/browser/beaver-builder-lite-version/trunk/classes/class-fl-controls.php#L71
- https://plugins.trac.wordpress.org/changeset/3406987
- https://www.wordfence.com/threat-intel/vulnerabilities/id/eb2f6c67-ef4a-4afc-bd61-6c0185e354a8?source=cve
