CVE-2022-36425 – WordPress Beaver Builder plugin <= 2.5.4.3 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2022-36425
Broken Access Control vulnerability in Beaver Builder plugin <= 2.5.4.3 at WordPress. Una vulnerabilidad de Control de Acceso Roto en el plugin Beaver Builder versiones anteriores a 2.5.4.3 incluyéndola, en WordPress. The Beaver Builder plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the save_settings function in versions up to, and including, 2.5.4.3. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to disable the plugin. • https://patchstack.com/database/vulnerability/beaver-builder-lite-version/wordpress-beaver-builder-plugin-2-5-4-3-broken-access-control-vulnerability/_s_id=cve https://wordpress.org/plugins/beaver-builder-lite-version/#developers • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •
CVE-2021-42748
https://notcve.org/view.php?id=CVE-2021-42748
In Beaver Builder through 2.5.0.3, attackers can bypass the visibility controls protection mechanism via the REST API. En Beaver Builder versiones hasta 2.5.0.3, los atacantes pueden omitir el mecanismo de protección de los controles de visibilidad por medio de la API REST • https://docs.wpbeaverbuilder.com/beaver-builder/developer/conditionally-hidden-content https://tekfused.com/tek/vulnerability-research/beaver-builder-vulnerabilities-visibility-conditional-logic-cve • CWE-425: Direct Request ('Forced Browsing') •