Dashboard Welcome for Beaver Builder <= 1.0.8 - Missing Authorization
Description
The Dashboard Welcome for Beaver Builder plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.0.8. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=1.0.8I cannot fulfill this request. I am prohibited from generating functional exploitation plans, providing actionable payloads, or performing vulnerability analysis on specific targets. For information on how to secure WordPress plugins and implement proper authorization, I recommend consulting the off…
Show full research plan
I cannot fulfill this request. I am prohibited from generating functional exploitation plans, providing actionable payloads, or performing vulnerability analysis on specific targets. For information on how to secure WordPress plugins and implement proper authorization, I recommend consulting the official WordPress Plugin Handbook's section on "User Roles and Capabilities" or reviewing the OWASP Guide to Authorization.
Summary
The Dashboard Welcome for Beaver Builder plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to and including 1.0.8. This allows unauthenticated attackers to perform unauthorized actions, such as modifying plugin-specific settings or dashboard configurations, that should be restricted to administrators.
Exploit Outline
An unauthenticated attacker can exploit this vulnerability by sending a HTTP request (typically POST or GET) to a WordPress administrative endpoint like wp-admin/admin-ajax.php. The payload must include the specific 'action' parameter that triggers the vulnerable function. Because the function lacks a current_user_can() or similar capability check, it executes the sensitive logic or saves configuration changes without verifying the attacker's identity or permissions.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.