Unauthorized Data Modification Vulnerability in BM Content Builder for WordPress
CVE-2025-1777

6.4MEDIUM

Key Information:

Vendor

WordPress

Vendor
CVE Published:
6 June 2025

What is CVE-2025-1777?

The BM Content Builder plugin for WordPress contains a vulnerability that allows authenticated attackers, including those with subscriber-level access and higher, to perform unauthorized modifications to data. Due to a missing capability check in the 'ux_cb_page_options_save' function, attackers can inject arbitrary web scripts into pages. This injected code will execute whenever a user visits the compromised page, potentially leading to data exposure or further exploitation.

Affected Version(s)

BM Content Builder * <= 3.16.2.1

References

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

István Márton
.
CVE-2025-1777 : Unauthorized Data Modification Vulnerability in BM Content Builder for WordPress