CVE-2025-1279
📋 TL;DR
The BM Content Builder WordPress plugin has an authorization vulnerability that allows authenticated users with Subscriber-level access or higher to modify WordPress site options. Attackers can change the default user registration role to administrator and enable user registration, gaining full administrative control. All WordPress sites using this plugin up to version 3.16.2.1 are affected.
💻 Affected Systems
- BM Content Builder WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete site takeover where attackers gain administrative access, install backdoors, steal data, deface the site, or use it for further attacks.
Likely Case
Attackers create administrator accounts for themselves, gaining full control over the WordPress site and its content.
If Mitigated
Limited impact if proper access controls, monitoring, and network segmentation are in place to detect and contain the attack.
🎯 Exploit Status
Exploitation requires authenticated access but only at Subscriber level, which is the lowest WordPress user role. The attack vector is straightforward once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 3.16.2.1
Vendor Advisory: https://themeforest.net/item/art-simple-clean-wordpress-theme-for-creatives/20170299
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins. 3. Find BM Content Builder. 4. Click 'Update Now' if update available. 5. If no update available, deactivate and remove the plugin immediately.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allRemove or restrict access to the vulnerable ux_cb_tools_import_item_ajax AJAX action
Add to theme's functions.php: remove_action('wp_ajax_ux_cb_tools_import_item_ajax', 'callback_function_name');
Restrict user registration
allDisable user registration to prevent attackers from creating administrator accounts
In WordPress admin: Settings > General > uncheck 'Anyone can register'
🧯 If You Can't Patch
- Immediately deactivate and remove the BM Content Builder plugin from all WordPress installations
- Implement strict access controls, monitor for unauthorized user creation, and review existing administrator accounts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > BM Content Builder. If version is 3.16.2.1 or lower, you are vulnerable.Check Version:
wp plugin list --name='BM Content Builder' --field=versionVerify Fix Applied:
After updating, verify plugin version is higher than 3.16.2.1. Test that Subscriber users cannot modify site options.📡 Detection & Monitoring
Log Indicators:
- Unauthorized AJAX requests to admin-ajax.php with action=ux_cb_tools_import_item_ajax
- Sudden creation of new administrator accounts
- Changes to WordPress options like default_role or users_can_register
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with the vulnerable action parameter from non-admin users
SIEM Query:
source="wordpress.log" AND ("action=ux_cb_tools_import_item_ajax" OR "default_role" OR "users_can_register")