WordPress Ultimate Addons for Beaver Builder 1.2.4.1 Authentication Bypass
Description
WordPress Ultimate Addons for Beaver Builder 1.2.4.1 contains an authentication bypass vulnerability that allows attackers to gain unauthorized access by exploiting the social media login form functionality. Attackers can submit a POST request to the admin-ajax.php endpoint with the uabb-lf-google-submit action, a valid administrator email address, and a valid nonce to obtain session cookies and authenticate as that user.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2=1.2.4.1+ 1 more
- (no CPE)range: =1.2.4.1
- (no CPE)range: <=1.2.4.1
Patches
Vulnerability mechanics
Root cause
"The plugin's AJAX handler for the social media login action does not validate that the request originates from a legitimate OAuth provider, allowing arbitrary authentication with only a known email and a page nonce."
Attack vector
An attacker submits a POST request to the `wp-admin/admin-ajax.php` endpoint with the action `uabb-lf-google-submit`, a known administrator email address, and a valid nonce scraped from the page containing the social media login form. The plugin's AJAX handler does not verify that the request originates from a legitimate OAuth provider, allowing the attacker to authenticate as any user whose email they supply [ref_id=1]. The only prerequisites are that the social media login form is embedded on a page and the attacker knows a valid user email.
What the fix does
The advisory does not include a patch diff, but the vulnerability is fixed in Ultimate Addons for Beaver Builder version 1.2.4.1 and later. The fix would need to add server-side validation that the `uabb-lf-google-submit` action is only processed after a genuine OAuth handshake with Google, rather than accepting arbitrary email and nonce values from a direct POST request. Without such validation, the AJAX handler trusts the client-supplied email and nonce without confirming they came from an actual social login flow.
Preconditions
- configThe social media login form must be embedded on a publicly accessible WordPress page.
- inputAttacker must know a valid email address of an administrator or privileged user.
- inputAttacker must be able to retrieve a valid nonce from the page containing the login form.
Reproduction
1. Identify a WordPress page that embeds the Ultimate Addons for Beaver Builder social media login form. 2. Retrieve a valid nonce from that page by scraping the `data-nonce` attribute. 3. Send a POST request to `wp-admin/admin-ajax.php` with parameters `action=uabb-lf-google-submit`, `name=<any>`, `email=<known-admin-email>`, and `nonce=<scraped-nonce>`. 4. Use the session cookies returned in the response to authenticate as the targeted user [ref_id=1].
Generated on Jun 21, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- www.exploit-db.com/exploits/47832mitreexploit
- www.vulncheck.com/advisories/wordpress-ultimate-addons-for-beaver-builder-authentication-bypassmitrethird-party-advisory
- www.ultimatebeaver.commitreproduct
News mentions
0No linked articles in our index yet.