CVE-2019-25763: WordPress Beaver Builder Plugin Authentication Bypass

Executive Summary

An authentication bypass vulnerability in the WordPress plugin Ultimate Addons for Beaver Builder (version 1.2.4.1) allows unauthenticated attackers to hijack administrator sessions. Tracked as CVE-2019-25763 with a CVSS score of 9.8 (Critical), the flaw resides in the social media login form functionality and requires no authentication to exploit. Attackers can obtain valid session cookies by sending a crafted POST request to the admin-ajax.php endpoint, effectively gaining full administrative control over the affected WordPress instance.

Technical Analysis

According to the exploit published on Exploit-DB (entry 47832), the vulnerability exists in the uabb-lf-google-submit action handler within the plugin's social login feature. The plugin fails to properly verify that the user initiating the login flow is the same user who completes it, allowing an attacker to supply an arbitrary administrator email address alongside a valid nonce.

The exploit sequence works as follows:

1. The attacker submits a POST request to /wp-admin/admin-ajax.php with the action parameter set to uabb-lf-google-submit.
2. The request includes a email parameter containing a known administrator's email address and a nonce value that is valid for the current session.
3. The plugin processes the request and, due to insufficient validation, returns session cookies associated with the supplied administrator account.

The nonce requirement is the only barrier to exploitation, but nonces in WordPress are predictable and can be obtained by unauthenticated users through other plugin endpoints or by enumerating the site's public pages. Once the attacker possesses the administrator's session cookies, they can perform any action the compromised account allows, including installing malicious plugins, modifying site content, or exfiltrating the database.

The vulnerability was originally disclosed in 2019, but the CVE ID assignment and public exploit publication occurred later. The affected version is Ultimate Addons for Beaver Builder 1.2.4.1; later versions may have addressed the issue, but no official advisory from the plugin vendor has been publicly linked to this CVE.

Mitigations & Recommendations

Defenders running WordPress sites with Ultimate Addons for Beaver Builder should take the following actions:

• Update the plugin to the latest available version immediately. If version 1.2.4.1 or earlier is in use, upgrade to any release newer than that. The current stable version of the plugin (as of this writing) is not affected if it has received security patches since 2019.
• Audit administrator accounts for any unauthorized changes or new users created around the time of potential exploitation. Check the site's user list for unfamiliar administrators and review recent login activity logs.
• Implement Web Application Firewall (WAF) rules to block POST requests to admin-ajax.php that contain the uabb-lf-google-submit action parameter from untrusted IP ranges, especially if the social login feature is not in active use.
• Disable the social login feature in the plugin settings if it is not required for site operations. This removes the vulnerable code path entirely.
• Monitor for nonce leakage by reviewing WordPress debug logs for unusual admin-ajax.php requests. Nonces exposed in page source or via REST API endpoints can be harvested by attackers to complete the exploit.

If the plugin is no longer maintained or no update is available, consider replacing it with an alternative that provides similar functionality without the authentication bypass risk.