CVE-2019-25763: WordPress Ultimate Addons for Beaver Builder 1.2.4.1 Authentication Bypass
WordPress Ultimate Addons for Beaver Builder 1.2.4.1 contains an authentication bypass vulnerability that allows attackers to gain unauthorized access by exploiting the social media login form functionality. Attackers can submit a POST request to the admin-ajax.php endpoint with the uabb-lf-google-submit action, a valid administrator email address, and a valid nonce to obtain session cookies and authenticate as that user.
Security readout for executives and security teams
Plain-English summary
This is a critical authentication bypass in Ultimate Addons for Beaver Builder for WordPress. The bundle says version 1.2.4.1 could allow unauthorized login as an administrator, which may mean full site takeover. The affected-version metadata is inconsistent, so confirm exposure against vendor and advisory records.
Executive priority
Treat as urgent for any internet-facing WordPress site using this plugin. A successful bypass could grant administrator access and compromise the site, content, customer trust, and downstream visitors. Prioritize inventory, vendor confirmation, and temporary removal if affected.
Technical view
The described flaw is CWE-288 authentication bypass in the plugin's social login handling. The source says an unauthenticated attacker could obtain authenticated administrator session cookies when specific prerequisites are met. CVSS is 9.8, reflecting network reachability, low complexity, no privileges, and high confidentiality, integrity, and availability impact.
Likely exposure
Public WordPress sites running Ultimate Addons for Beaver Builder, especially version 1.2.4.1, are the primary concern. Exposure depends on installed plugin version and relevant login functionality. The bundle's affected-version field conflicts with the description, so inventory validation is required.
Exploitation context
ExploitDB is cited, indicating public exploit information exists. The bundle does not show CISA KEV listing or other evidence of active exploitation. The description states exploitation depends on a valid administrator email address and a valid nonce.
Researcher notes
The CVE description and VulnCheck reference name version 1.2.4.1, while the provided affected metadata lists version 0 with defaultStatus unaffected. Do not broaden scope without vendor confirmation. Public exploit reference exists, but active exploitation is not established by the bundle.
Mitigation direction
Identify all WordPress sites using Ultimate Addons for Beaver Builder.
Confirm installed plugin version against vendor and VulnCheck guidance.
If affected, disable or remove the plugin until vendor guidance is confirmed.
Rotate administrator sessions after remediation if exposure is confirmed.
Review WordPress administrator accounts for unauthorized access.
Validation and detection
Inventory WordPress plugins across production, staging, and managed hosting environments.
Check whether Ultimate Addons for Beaver Builder version 1.2.4.1 is installed.
Review web logs for suspicious admin-ajax authentication activity.
Validate administrator account activity and recent session creation.
Document any uncertainty caused by the conflicting affected-version metadata.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-288: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references authentication or credential exposure, so valid-account and credential-access review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
2CVSS vectors
3Timeline events
1ADP providers
4Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: pocAutomatable: yesTechnical Impact: total
CVSS vector scores
2 official scores
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.