CVE-2025-1777
Awaiting Analysis Awaiting Analysis - Queue
BaseFortify

Publication date: 2025-06-06

Last updated on: 2025-06-06

Assigner: Wordfence

Description
The BM Content Builder plugin for WordPress is vulnerable to unauthorized modification of data to a missing capability check on the 'ux_cb_page_options_save' function in all versions up to, and including, 3.16.2.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-06
Last Modified
2025-06-06
Generated
2026-05-07
AI Q&A
2025-06-06
EPSS Evaluated
2026-05-05
NVD
CVE-2025-1777
EUVD
EUVD-2025-17053
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The BM Content Builder plugin for WordPress has a vulnerability due to a missing capability check in the 'ux_cb_page_options_save' function in versions up to 3.16.2.1. This allows authenticated users with subscriber-level access or higher to inject arbitrary web scripts into pages. These scripts execute whenever a user accesses the injected page.


How can this vulnerability impact me? :

This vulnerability can allow attackers with low-level access to inject malicious scripts into web pages, potentially leading to cross-site scripting (XSS) attacks. This can result in unauthorized actions performed on behalf of users, data theft, session hijacking, or other malicious activities when users visit the compromised pages.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart