CVE-2025-4102

moderate-risk

Published 2025-06-20

The Beaver Builder Plugin (Starter Version) plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'save_enabled_icons' function in all versions up to, and including, 2.9.1. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The vulnerability was partially patched in version 2.9.1.

Do I need to act?

0.51% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.2/10 High

NETWORK / LOW complexity

Affected Products (1)

Beaver Builder

Affected Vendors

Fastlinemedia

References (2)

Third Party Advisory https://www.wordfence.com/threat-intel/vulnerabilities/id/2eb4608f-fa4f-444c-a85...

Product https://www.wpbeaverbuilder.com/change-logs/?utm_medium=bb-lite&utm_source=repo-...

/ 100

moderate-risk

Severity 26/34 · High

Exploitability 2/34 · Minimal

Exposure 5/34 · Minimal