Sensitive Information Exposure in Beaver Builder WordPress Page Builder Plugin
CVE-2025-12558

4.3MEDIUM

Key Information:

Vendor: WordPress
Status: Beaver Builder Page Builder – Drag And Drop Website Builder
Vendor: CVE Published:; 9 December 2025

What is CVE-2025-12558?

The Beaver Builder – WordPress Page Builder plugin for WordPress has a vulnerability that allows authenticated users with Contributor-level access or higher to exploit the 'get_attachment_sizes' function. This vulnerability exposes sensitive information such as the path and metadata of private attachments. This could potentially lead to unauthorized access and viewing of confidential data, highlighting a significant concern for data privacy and security within affected versions.

Affected Version(s)

Beaver Builder Page Builder – Drag and Drop Website Builder * <= 2.9.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/beaver-builder...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 9, 2025
Vulnerability Reserved
Oct 31, 2025

Credit

Athiwat Tiprasaharn

JSON