{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-69319", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-31T20:12:13.401Z", "datePublished": "2026-01-22T16:52:33.399Z", "dateUpdated": "2026-04-28T20:49:04.980Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "beaver-builder-lite-version", "product": "Beaver Builder", "vendor": "Beaver Builder", "versions": [{"changes": [{"at": "2.9.4.2", "status": "unaffected"}], "lessThanOrEqual": "2.9.4.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "mcdruid | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:03:27.821Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in Beaver Builder Beaver Builder beaver-builder-lite-version allows Code Injection.<p>This issue affects Beaver Builder: from n/a through <= 2.9.4.1.</p>"}], "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in Beaver Builder Beaver Builder beaver-builder-lite-version allows Code Injection.This issue affects Beaver Builder: from n/a through <= 2.9.4.1."}], "impacts": [{"capecId": "CAPEC-242", "descriptions": [{"lang": "en", "value": "Code Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "description": "Improper Control of Generation of Code ('Code Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:37.338Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/beaver-builder-lite-version/vulnerability/wordpress-beaver-builder-plugin-2-9-4-1-arbitrary-code-execution-vulnerability?_s_id=cve"}], "title": "WordPress Beaver Builder plugin <= 2.9.4.1 - Arbitrary Code Execution vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-27T18:20:21.484196Z", "id": "CVE-2025-69319", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T20:49:04.980Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-69319", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-27T18:20:21.484196Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T18:20:17.692Z"}}], "cna": {"title": "WordPress Beaver Builder plugin <= 2.9.4.1 - Arbitrary Code Execution vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "mcdruid | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-242", "descriptions": [{"lang": "en", "value": "Code Injection"}]}], "affected": [{"vendor": "Beaver Builder", "product": "Beaver Builder", "versions": [{"status": "affected", "changes": [{"at": "2.9.4.2", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "2.9.4.1"}], "packageName": "beaver-builder-lite-version", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:03:27.821Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/beaver-builder-lite-version/vulnerability/wordpress-beaver-builder-plugin-2-9-4-1-arbitrary-code-execution-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in Beaver Builder Beaver Builder beaver-builder-lite-version allows Code Injection.This issue affects Beaver Builder: from n/a through <= 2.9.4.1.", "supportingMedia": [{"type": "text/html", "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in Beaver Builder Beaver Builder beaver-builder-lite-version allows Code Injection.<p>This issue affects Beaver Builder: from n/a through <= 2.9.4.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-01T14:13:14.433Z"}}}, "cveMetadata": {"cveId": "CVE-2025-69319", "state": "PUBLISHED", "dateUpdated": "2026-04-01T14:13:14.433Z", "dateReserved": "2025-12-31T20:12:13.401Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-22T16:52:33.399Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in Beaver Builder Beaver Builder beaver-builder-lite-version allows Code Injection.This issue affects Beaver Builder: from n/a through <= 2.9.4.1."}, {"lang": "es", "value": "Vulnerabilidad de Control Inadecuado de la Generaci\u00f3n de C\u00f3digo ('Inyecci\u00f3n de C\u00f3digo') en Beaver Builder Beaver Builder beaver-builder-lite-version permite la Inyecci\u00f3n de C\u00f3digo. Este problema afecta a Beaver Builder: desde n/a hasta &lt;= 2.9.4.1."}], "id": "CVE-2025-69319", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-22T17:16:27.713", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/beaver-builder-lite-version/vulnerability/wordpress-beaver-builder-plugin-2-9-4-1-arbitrary-code-execution-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T18:06:14.292620+00:00", "value": {"mitigation_remediation": ["Upgrade Beaver Builder to the latest version (>= 2.9.4.2) to eliminate the code injection flaw.", "If an upgrade is not immediately possible, disable custom code widgets or restrict the ability to enter PHP code within Beaver Builder until a patch is applied.", "Restrict WordPress administrative access to trusted users only and apply general site hardening practices such as strong passwords and two\u2011factor authentication."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "All installations of Beaver Builder Lite from the earliest release up to and including 2.9.4.1 are vulnerable. Sites using the plugin in a WordPress environment with these versions are susceptible until the plugin is updated.", "description_and_impact": "WordPress Beaver Builder Lite version 2.9.4.1 contains an Improper Control of Generation of Code flaw identified as CWE\u201194. The vulnerability permits an attacker to inject arbitrary PHP code into the plugin\u2019s engine, which is then executed on the web server. This can lead to full compromise of the website's confidentiality, integrity, and availability.", "risk_and_exploitability": "The CVSS score of 7.5 indicates high severity, yet the EPSS value of less than 1% suggests that exploitation is currently uncommon. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector requires the ability to supply input that reaches the plugin\u2019s code generation mechanism, such as adding or editing custom code widgets via the WordPress admin interface or compromising user credentials. This inference stems from the need to inject code into the plugin\u2019s configuration, a capability typically restricted to administrators or users with elevated privileges. The potential for high\u2011impact exploitation remains if attackers gain sufficient access."}}}}, "created": "2026-01-23T16:27:38.707585+00:00", "updated": "2026-04-28T18:15:37.360945+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpbeaverbuilder", "wpbeaverbuilder$PRODUCT$beaver_builder"]}