EUVD-2025-27983
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
The Beaver Builder Plugin (Starter Version) plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'save_enabled_icons' function in all versions up to, and including, 2.9.1. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The vulnerability was partially patched in version 2.9.1.
Analysis
The Beaver Builder Plugin (Starter Version) for WordPress contains an arbitrary file upload vulnerability in the 'save_enabled_icons' function due to missing file type validation, affecting all versions up to and including 2.9.1. Authenticated attackers with Administrator-level access can upload arbitrary files to the server, potentially enabling remote code execution. The vulnerability was only partially patched in version 2.9.1, indicating residual risk in the latest release.
Technical Context
This vulnerability is rooted in CWE-434 (Unrestricted Upload of File with Dangerous Type), a file upload validation weakness. The 'save_enabled_icons' function in the Beaver Builder WordPress plugin fails to implement proper file type validation or MIME type checking before storing uploaded files on the server. WordPress plugins execute within the PHP runtime environment with the privileges of the web server process, so arbitrary file uploads can result in arbitrary PHP execution. The vulnerability affects the Beaver Builder plugin (CPE: wp:beaver_builder), a page builder for WordPress. The partial patch in version 2.9.1 suggests the initial fix may have been incomplete or bypassable, leaving the core validation flaw partially unresolved.
Affected Products
Beaver Builder Plugin (Starter Version) (All versions up to and including 2.9.1)
Remediation
- action: Upgrade immediately to Beaver Builder version 2.9.2 or later; details: Version 2.9.1 was only partially patched; a complete fix was released in subsequent versions. Update through WordPress admin dashboard (Plugins > Installed Plugins > Beaver Builder > Update) or download from the WordPress plugin repository. - action: Apply vendor security patch; details: Contact Beaver Builder support or check official plugin changelog for security advisories and complete patch details at https://www.wpbeaverbuilder.com/ - action: Implement file upload restrictions at server level; details: Configure web server (Apache/Nginx) to restrict executable file uploads to the WordPress uploads directory using .htaccess rules or server configuration blocks. Example: deny execution of PHP files in /wp-content/uploads/ - action: Audit WordPress administrator accounts; details: Review user list and audit logs for unauthorized or suspicious admin accounts that may have exploited the vulnerability. Revoke unnecessary admin privileges and enforce strong password policies. - action: Monitor file uploads and execute security scan; details: Scan the uploads directory for suspicious files (PHP, JSP, executable types) that may have been uploaded. Use WordPress security plugins (Wordfence, Sucuri) to detect and remediate malicious files. - action: Implement Web Application Firewall (WAF) rules; details: Deploy WAF rules to block file uploads with dangerous extensions (.php, .phtml, .exe, etc.) to the WordPress upload endpoints.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today