VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 32 known issues Latest disclosed Apr 07, 2026

Beaver Builder Page Builder – Drag and Drop Website Builder Vulnerabilities

Review known vulnerability records for the WordPress plugin Beaver Builder Page Builder – Drag and Drop Website Builder (`beaver-builder-lite-version`), including severity, CVE references, affected versions, and patch status.

View on WordPress.org Back to Feed
Known Records
32
High or Critical
2
Linked CVEs
31
Last Updated
Apr 07, 2026
Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for Beaver Builder Page Builder – Drag and Drop Website Builder so operators can quickly confirm whether a disclosed issue maps to the installed slug and version range.

Patch Visibility
32 records include a published patch path.
Severity Mix
0 critical and 2 high severity findings.
Reference Workflow
Jump from the hub into the full report when you need remediation notes, CVSS vector details, or source references.
Known Vulnerabilities

Reports for Beaver Builder Page Builder – Drag and Drop Website Builder

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2026-2481
Beaver Builder Page Builder – Drag and Drop Website Builder <= 2.10.1.1 - Authenticated (Author+) Stored Cross-Site Scripting via 'settings[js]'

The Beaver Builder Page Builder – Drag and Drop Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'settings[js]' parameter in versions up to, and including, 2.10.1.1 due to insufficient input sanitization and output escaping. This makes it...

Published
Apr 07, 2026
Patched Release
2.10.1.2
Affected Versions
Versions up to 2.10.1.1
Next Step
Update to 2.10.1.2 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2026-1231
Beaver Builder Page Builder – Drag and Drop Website Builder <= 2.10.0.5 - Authenticated (Custom+) Missing Authorization to Stored Cross-Site Scripting via Global Settings

The Beaver Builder Page Builder – Drag and Drop Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `js` Global Settings parameter in all versions up to, and including, 2.10.0.5 due to missing capability checks on save_global_settings() funct...

Published
Feb 10, 2026
Patched Release
2.10.0.6
Affected Versions
Versions up to 2.10.0.5
Next Step
Update to 2.10.0.6 or newer if supported.
Open Full Report Open CVE Reference
Plugin High Patched: Yes CVE-2025-69319
Beaver Builder <= 2.9.4.1 - Authenticated (Contributor+) Remote Code Execution

The Beaver Builder Page Builder – Drag and Drop Website Builder plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.9.4.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code...

Published
Jan 21, 2026
Patched Release
2.9.4.2
Affected Versions
Versions up to 2.9.4.1
Next Step
Update to 2.9.4.2 or newer if supported.
Open Full Report Open CVE Reference
Plugin High Patched: Yes CVE-2025-12934
Beaver Builder – WordPress Page Builder <= 2.9.4.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Update

The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the 'duplicate_wpml_layout' function in all versions up to, and including, 2.9.4.1. This makes it possible for authe...

Published
Dec 22, 2025
Patched Release
2.9.4.2
Affected Versions
Versions up to 2.9.4.1
Next Step
Update to 2.9.4.2 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-12558
Beaver Builder – WordPress Page Builder <= 2.9.4 - Authenticated (Contributor+) Sensitive Information Exposure

The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.9.4 via the 'get_attachment_sizes' function. This makes it possible for authenticated attackers, with Contributor-level access...

Published
Dec 08, 2025
Patched Release
2.9.4.1
Affected Versions
Versions up to 2.9.4
Next Step
Update to 2.9.4.1 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-12782
Beaver Builder – WordPress Page Builder <= 2.9.4 - Missing Authorization to Authenticated (Contributor+) Builder Status Tampering

The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.9.4. This is due to the plugin not properly verifying a user's authorization in the disable() function. This makes it possible for authen...

Published
Dec 03, 2025
Patched Release
2.9.4.1
Affected Versions
Versions up to 2.9.4
Next Step
Update to 2.9.4.1 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-11726
Beaver Builder – WordPress Page Builder <= 2.9.4 - Missing Authorization to Authenticated (Contributor+) Global Preset Modification

The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.9.4. This is due to insufficient capability checks in the REST API endpoints under the 'fl-controls/v1' namespace that control site-wide...

Published
Dec 01, 2025
Patched Release
2.9.4.1
Affected Versions
Versions up to 2.9.4
Next Step
Update to 2.9.4.1 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-8897
Beaver Builder Plugin (Lite Version) <= 2.9.2.1 - Reflected Cross-Site Scripting

The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘'fl_builder' parameter in all versions up to, and including, 2.9.2.1 due to insufficient input sanitization and output escaping. This makes it possible for un...

Published
Aug 27, 2025
Patched Release
2.9.3.1
Affected Versions
Versions up to 2.9.2.1
Next Step
Update to 2.9.3.1 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-11832
Beaver Builder – WordPress Page Builder <= 2.8.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom JavaScript row settings in all versions up to, and including, 2.8.4.4 due to insufficient input sanitization and output escaping. This makes it possible fo...

Published
Dec 12, 2024
Patched Release
2.8.5.3
Affected Versions
Versions up to 2.8.4.4
Next Step
Update to 2.8.5.3 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-53797
Beaver Builder <= 2.8.4.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Beaver Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.8.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above,...

Published
Dec 02, 2024
Patched Release
2.8.4.4
Affected Versions
Versions up to 2.8.4.3
Next Step
Update to 2.8.4.4 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-9505
Beaver Builder – WordPress Page Builder <= 2.8.4.2 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Button Widget

The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Button widget in all versions up to, and including, 2.8.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This...

Published
Oct 29, 2024
Patched Release
2.8.4.3
Affected Versions
Versions up to 2.8.4.2
Next Step
Update to 2.8.4.3 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-50430
Beaver Builder <= 2.8.3.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Beaver Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.8.3.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above,...

Published
Oct 24, 2024
Patched Release
2.8.3.9
Affected Versions
Versions up to 2.8.3.7
Next Step
Update to 2.8.3.9 or newer if supported.
Open Full Report Open CVE Reference