High severity7.2NVD Advisory· Published Jun 20, 2025· Updated Jun 17, 2026
CVE-2025-4102
CVE-2025-4102
Description
The Beaver Builder Plugin (Starter Version) plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'save_enabled_icons' function in all versions up to, and including, 2.9.1. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The vulnerability was partially patched in version 2.9.1.
Affected products
3<=2.9.1+ 1 more
- (no CPE)range: <=2.9.1
- (no CPE)
Patches
Vulnerability mechanics
References
2- www.wordfence.com/threat-intel/vulnerabilities/id/2eb4608f-fa4f-444c-a857-c9059777a70bnvdThird Party Advisory
- www.wpbeaverbuilder.com/change-logs/nvdProduct
News mentions
0No linked articles in our index yet.