Unauthorized Data Modification in Beaver Builder WordPress Page Builder Plugin
CVE-2025-12934

8.1HIGH

Key Information:

Vendor

WordPress
Status
Beaver Builder Page Builder – Drag And Drop Website Builder
Vendor
CVE Published:
23 December 2025

What is CVE-2025-12934?

The Beaver Builder plugin for WordPress is susceptible to unauthorized data manipulation due to a lack of adequate capability checks in the 'duplicate_wpml_layout' function. This vulnerability allows authenticated users, starting from Subscriber-level access, to modify posts created with Beaver Builder. Attackers could replace the content of existing posts with data from other posts, potentially revealing private content and deleting unsaved data. This issue affects all versions of the plugin up to and including 2.9.4.1 and emphasizes the need for tighter security controls to prevent undesirable data modifications.

Affected Version(s)

Beaver Builder Page Builder – Drag and Drop Website Builder * <= 2.9.4.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/beaver-builder...
https://plugins.trac.wordpress.org/browser/beaver-builder...

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Athiwat Tiprasaharn
JSON
.
CVE-2025-12934 : Unauthorized Data Modification in Beaver Builder WordPress Page Builder Plugin