17 Feb

False Vulnerability Report: Beaver Builder Lite Security Issue

As part of our cataloging the vulnerabilities in WordPress plugins for our service we come across false reports of vulnerabilities from time to time. So that others don’t spend their time looking over these as well we post our findings on them.

Unlike the last few false reports of vulnerabilities we discussed, this vulnerability would appear to exist, but just not in one of the pieces of software it was claimed to be in. A privilege escalation vulnerability was claimed to exist in Beaver Builder Lite and Pro versions prior to 1.7.1.

In many cases vulnerabilities are listed as existing in versions prior to a certain version (as in this case), while the discoverer only actually knows that it exist the version prior to that version. With our service you will actually know what versions are vulnerable because we determine that during out testing, which is important if you using the data while trying to determine how a website was hacked or if if the website would have been vulnerable for a time.

In this case the vulnerability could not have existed in version prior to 1.7 since the vulnerable function was only added in that version. Which the discoverer could have easily seen since that is mentioned right above the section of the function included in a screenshot in their post:

 * Runs the current AJAX action.
 * @since 1.7
 * @access private
 * @return void
static private function call_action()
 // Only run for logged in users.
 if ( ! is_user_logged_in() ) {

That is very important in this case because Beaver Builder Lite’s first 1.7 release was 1.7.1, so the vulnerability appears to have only impacted those using the Pro version of the plugin:

Beaver Builder Lite Versions

Leave a Reply

Your email address will not be published. Required fields are marked *