{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-1777", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-02-28T11:04:10.400Z", "datePublished": "2025-06-06T05:22:43.193Z", "dateUpdated": "2026-04-08T17:34:31.448Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:34:31.448Z"}, "affected": [{"vendor": "SeaTheme", "product": "BM Content Builder", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.16.2.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The BM Content Builder plugin for WordPress is vulnerable to unauthorized modification of data to a missing capability check on the 'ux_cb_page_options_save' function in all versions up to, and including, 3.16.2.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "BM Content Builder <= 3.16.2.1 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via ux_cb_page_options_save", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fb3e0251-c3b7-4360-87f3-7e4612d4f285?source=cve"}, {"url": "https://www.seatheme.net/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Istv\u00e1n M\u00e1rton"}], "timeline": [{"time": "2025-02-28T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-02-28T00:00:00.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-06-05T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-06T15:43:59.725801Z", "id": "CVE-2025-1777", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-06T16:09:56.997Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-1777", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-06T15:43:59.725801Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-06T15:44:01.765Z"}}], "cna": {"title": "BM Content Builder <= 3.16.2.1 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via ux_cb_page_options_save", "credits": [{"lang": "en", "type": "finder", "value": "Istv\u00e1n M\u00e1rton"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "SeaTheme", "product": "BM Content Builder", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.16.2.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-02-28T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-02-28T00:00:00.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-06-05T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fb3e0251-c3b7-4360-87f3-7e4612d4f285?source=cve"}, {"url": "https://www.seatheme.net/"}], "descriptions": [{"lang": "en", "value": "The BM Content Builder plugin for WordPress is vulnerable to unauthorized modification of data to a missing capability check on the 'ux_cb_page_options_save' function in all versions up to, and including, 3.16.2.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:34:31.448Z"}}}, "cveMetadata": {"cveId": "CVE-2025-1777", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:34:31.448Z", "dateReserved": "2025-02-28T11:04:10.400Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-06-06T05:22:43.193Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The BM Content Builder plugin for WordPress is vulnerable to unauthorized modification of data to a missing capability check on the 'ux_cb_page_options_save' function in all versions up to, and including, 3.16.2.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento BM Content Builder para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a una comprobaci\u00f3n de capacidad faltante en la funci\u00f3n 'ux_cb_page_options_save' en todas las versiones hasta la 3.16.2.1 incluida. Esto permite a atacantes autenticados, con acceso de suscriptor o superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."}], "id": "CVE-2025-1777", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-06-06T06:15:31.163", "references": [{"source": "security@wordfence.com", "url": "https://www.seatheme.net/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fb3e0251-c3b7-4360-87f3-7e4612d4f285?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T22:37:59.049028+00:00", "value": {"mitigation_remediation": ["Upgrade BM Content Builder to a version newer than 3.16.2.1 where the missing capability check has been added", "If an upgrade is not immediately possible, remove the plugin or disable the page options saving feature for subscribers and lower roles", "Apply strong role\u2011based permissions so that only trusted administrators can edit page options, and audit user accounts for unnecessary high\u2011level privileges"], "summary": {"action": "Apply Patch", "impact": "Unauthorized modification of data leading to stored cross\u2011site scripting"}, "threat_synthesis": {"affected_systems": "SeaTheme\u2019s BM Content Builder plugin, versions up to and including 3.16.2.1, is affected. Systems running any WordPress site that has this plugin installed and has configured subscriber or higher roles are vulnerable.", "description_and_impact": "The BM Content Builder plugin for WordPress contains a missing capability check in the function that saves page options. Because of this, an authenticated user with subscriber-level or higher access can inject arbitrary JavaScript into any page. When that page is viewed by other users, the injected scripts run in their browsers, enabling the attacker to steal credentials, forge requests, or perform other client\u2011side malicious actions. The weakness is classified as CWE\u2011862, representing a missing authorization test.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a medium severity risk. The EPSS score of less than 1% suggests a very low probability that an exploit is currently being attempted, and the vulnerability is not listed in the CISA KEV catalog. The attack requires an authenticated subscriber or higher; therefore, it is limited to users who already have legitimate access to the site. Nonetheless, because the injected scripts execute on every visitor to the affected page, the impact can reach a large audience once the attack is performed."}}}}, "created": "2026-04-20T22:45:20.544349+00:00", "updated": "2026-04-20T22:45:20.544359+00:00", "vendors": []}