CVE-2025-59002
📋 TL;DR
This path traversal vulnerability in SeaTheme BM Content Builder WordPress plugin allows attackers to delete arbitrary files on the server. It affects all WordPress sites running vulnerable versions of the BM Content Builder plugin, potentially leading to website compromise or data loss.
💻 Affected Systems
- SeaTheme BM Content Builder WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete website compromise through deletion of critical system files, database destruction, or installation of backdoors via file manipulation.
Likely Case
Website defacement, deletion of WordPress core files causing site outage, or deletion of user-uploaded content.
If Mitigated
Limited impact if file permissions are properly configured and web server runs with minimal privileges.
🎯 Exploit Status
Exploitation is straightforward with publicly available proof-of-concept code. Attackers can craft HTTP requests with directory traversal sequences to delete files.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.16.3.4 and later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find BM Content Builder. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable BM Content Builder Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate bm-builder
Web Application Firewall Rule
allBlock directory traversal patterns in HTTP requests
Add WAF rule to block requests containing '../' or similar traversal sequences
🧯 If You Can't Patch
- Remove BM Content Builder plugin completely if not essential
- Implement strict file permissions (web server should have read-only access to most directories)
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → BM Content Builder version. If version is 3.16.3.3 or earlier, you are vulnerable.Check Version:
wp plugin get bm-builder --field=versionVerify Fix Applied:
Verify plugin version is 3.16.3.4 or later in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing '../' sequences to plugin endpoints
- File deletion errors in web server logs
- 404 errors for unexpected file paths
Network Indicators:
- HTTP POST/GET requests to /wp-content/plugins/bm-builder/ with traversal sequences
SIEM Query:
source="web_server" AND (uri="*../*" OR uri="*/bm-builder/*") AND (method="POST" OR method="GET")