Beaver Builder – WordPress Page Builder <= 2.7.4.2 - Authenticated(Contributor+) Stored Cross-Site Scripting via Audio Widget

Wordfence Intelligence > Vulnerability Database > Beaver Builder – WordPress Page Builder <= 2.7.4.2 - Authenticated(Contributor+) Stored Cross-Site Scripting via Audio Widget

6.4

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CVE	CVE-2024-1074
CVSS	6.4 (Medium)
Publicly Published	February 28, 2024
Last Updated	May 31, 2024
Researcher	RandomRoot

Description

The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the audio widget 'link_url' parameter in all versions up to, and including, 2.7.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Learn more about Cross-Site Scripting vulnerabilities and how to prevent them.

References

Vulnerability Details for Beaver Builder Page Builder – Drag and Drop Website Builder

Beaver Builder Page Builder – Drag and Drop Website Builder

Software Type	Plugin
Software Slug	beaver-builder-lite-version (view on wordpress.org)
Patched?	Yes
Remediation	Update to version 2.7.4.3, or a newer patched version
Affected Version	<= 2.7.4.2
Patched Version	2.7.4.3

Recent vulnerabilities in Beaver Builder Page Builder – Drag and Drop Website Builder

Beaver Builder Page Builder – Drag and Drop Website Builder <= 2.10.1.1 - Authenticated (Author+) Stored Cross-Site Scripting via 'settings[js]'

6.4

CVE-2026-2481

Apr 7, 2026

Researchers: Athiwat Tiprasaharn (Jitlada), Tharadol Suksamran (d3kc4rt_1)

Beaver Builder <= 2.10.1.2 - Authenticated (Contributor+) SQL Injection

6.5

CVE-2026-40744

Mar 23, 2026

Researcher: daroo

Beaver Builder Page Builder – Drag and Drop Website Builder <= 2.10.0.5 - Authenticated (Custom+) Missing Authorization to Stored Cross-Site Scripting via Global Settings

6.4

CVE-2026-1231

Feb 10, 2026

Researchers: Athiwat Tiprasaharn (Jitlada), Itthidej Aramsri (Boeing777), Waris Damkham

Beaver Builder <= 2.9.4.1 - Authenticated (Contributor+) Remote Code Execution

8.8

CVE-2025-69319

Jan 21, 2026

Researcher: Drew Webber (mcdruid)

Beaver Builder – WordPress Page Builder <= 2.9.4.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Update

8.1

CVE-2025-12934

Dec 22, 2025

Researcher: Athiwat Tiprasaharn (Jitlada)

Beaver Builder – WordPress Page Builder <= 2.9.4 - Authenticated (Contributor+) Sensitive Information Exposure

4.3

CVE-2025-12558

Dec 8, 2025

Researcher: Athiwat Tiprasaharn (Jitlada)

Beaver Builder – WordPress Page Builder <= 2.9.4 - Missing Authorization to Authenticated (Contributor+) Builder Status Tampering

4.3

CVE-2025-12782

Dec 3, 2025

Researchers: Athiwat Tiprasaharn (Jitlada), Itthidej Aramsri (Boeing777), Powpy, Waris Damkham

Beaver Builder – WordPress Page Builder <= 2.9.4 - Missing Authorization to Authenticated (Contributor+) Global Preset Modification

4.3

CVE-2025-11726

Dec 1, 2025

Researcher: Athiwat Tiprasaharn (Jitlada)

Beaver Builder Plugin (Lite Version) <= 2.9.2.1 - Reflected Cross-Site Scripting

6.1

CVE-2025-8897

Aug 27, 2025

Researcher: Jack Pas (Dark.)

Beaver Builder – WordPress Page Builder <= 2.8.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-11832

Dec 12, 2024

Researcher: zer0gh0st

#	Title	CVE ID	CVSS	Researchers	Date
1	Beaver Builder Page Builder – Drag and Drop Website Builder <= 2.10.1.1 - Authenticated (Author+) Stored Cross-Site Scripting via 'settings[js]'	CVE-2026-2481	6.4	Athiwat Tiprasaharn (Jitlada), Tharadol Suksamran (d3kc4rt_1)	April 7, 2026
2	Beaver Builder <= 2.10.1.2 - Authenticated (Contributor+) SQL Injection	CVE-2026-40744	6.5	daroo	March 23, 2026
3	Beaver Builder Page Builder – Drag and Drop Website Builder <= 2.10.0.5 - Authenticated (Custom+) Missing Authorization to Stored Cross-Site Scripting via Global Settings	CVE-2026-1231	6.4	Athiwat Tiprasaharn (Jitlada), Itthidej Aramsri (Boeing777), Waris Damkham	February 10, 2026
4	Beaver Builder <= 2.9.4.1 - Authenticated (Contributor+) Remote Code Execution	CVE-2025-69319	8.8	Drew Webber (mcdruid)	January 21, 2026
5	Beaver Builder – WordPress Page Builder <= 2.9.4.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Update	CVE-2025-12934	8.1	Athiwat Tiprasaharn (Jitlada)	December 22, 2025
6	Beaver Builder – WordPress Page Builder <= 2.9.4 - Authenticated (Contributor+) Sensitive Information Exposure	CVE-2025-12558	4.3	Athiwat Tiprasaharn (Jitlada)	December 8, 2025
7	Beaver Builder – WordPress Page Builder <= 2.9.4 - Missing Authorization to Authenticated (Contributor+) Builder Status Tampering	CVE-2025-12782	4.3	Athiwat Tiprasaharn (Jitlada), Itthidej Aramsri (Boeing777), Powpy, Waris Damkham	December 3, 2025
8	Beaver Builder – WordPress Page Builder <= 2.9.4 - Missing Authorization to Authenticated (Contributor+) Global Preset Modification	CVE-2025-11726	4.3	Athiwat Tiprasaharn (Jitlada)	December 1, 2025
9	Beaver Builder Plugin (Lite Version) <= 2.9.2.1 - Reflected Cross-Site Scripting	CVE-2025-8897	6.1	Jack Pas (Dark.)	August 27, 2025
10	Beaver Builder – WordPress Page Builder <= 2.8.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-11832	6.4	zer0gh0st	December 12, 2024

View more vulnerabilities in this software package View more vulnerabilities

This record contains material that is subject to copyright.

License: Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. Read more.

License: CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. Read more.

Have information to add, or spot any errors? Contact us at wfi-support@wordfence.com so we can make any appropriate adjustments.

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation

Beaver Builder – WordPress Page Builder <= 2.7.4.2 - Authenticated(Contributor+) Stored Cross-Site Scripting via Audio Widget

Description

References

Share

Vulnerability Details for Beaver Builder Page Builder – Drag and Drop Website Builder

Beaver Builder Page Builder – Drag and Drop Website Builder

Recent vulnerabilities in Beaver Builder Page Builder – Drag and Drop Website Builder