External risk intelligence

WordPress Ultimate Addons for Beaver Builder Authentication Bypass

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2019-25763

The vulnerability resides in a WordPress plugin that adds functionality to a publicly accessible web application. Authentication forms and social media login integrations are common features of internet-facing websites, making this endpoint frequently exposed to remote users.

Authentication Bypass

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in a WordPress plugin could allow unauthorized access to user accounts by bypassing authentication through its social media login feature. The issue arises from how the plugin handles login requests, potentially enabling attackers to impersonate legitimate users and gain access to sensitive information or functionalities.

Allows unauthorized access to accounts.
Confirms plugin relevance and potential exposure.
Assess impact on your WordPress sites.

Attack Path

How an attacker could exploit the issue

Attackers can bypass authentication by exploiting a weakness in the social media login feature of a WordPress plugin. By sending a crafted request to a specific administrative endpoint, an attacker can obtain session cookies and log in as a legitimate administrator. This could lead to unauthorized access and control of the website.

No specific user access is required.
Triggered by a POST request to admin-ajax.php.
Enables unauthorized administrative access.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an attacker to bypass authentication mechanisms in the social media login functionality. When supported by the advisory, an attacker could submit a specially crafted POST request to the admin-ajax.php endpoint. This could lead to unauthorized access and potential manipulation of user accounts or system functions, depending on the privileges associated with the bypassed account.

Administrator account session cookies.
Submitting a crafted POST request.
Unauthorized access and account control.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability impacts the WordPress Ultimate Addons for Beaver Builder plugin. Given its nature as a plugin for a public-facing content management system, ownership likely falls to the Application Owner or Web Development Team responsible for the WordPress instance. The initial step is to identify all WordPress sites using this plugin, confirm their public reachability and business criticality, and then engage the appropriate team for remediation planning based on risk.

Application owners should lead remediation efforts.
Verify all public WordPress sites using the plugin.
Plan updates during scheduled maintenance windows.

Supplementary metadata

CVSS vector

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is WordPress Ultimate Addons for Beaver Builder?

It is a supplementary plugin for Beaver Builder, a popular drag-and-drop page builder for the WordPress content management system. These types of add-ons typically extend the core plugin's capabilities by providing extra design modules, templates, and specialized elements, such as social media integration tools, which help site administrators create complex, custom-styled web pages without needing to write custom code.

How does CVE-2019-25763 function as an authentication bypass?

This vulnerability is classified as CWE-288, which involves improper authentication bypass. In this case, the plugin fails to properly verify the identity of a user during the social media login process. By sending a crafted request, an attacker can manipulate the plugin's logic to skip standard login checks and masquerade as an authorized administrator without knowing the actual password.

What triggers the vulnerability in the plugin?

The issue is triggered when an attacker sends a specific POST request to the WordPress admin-ajax.php endpoint using the uabb-lf-google-submit action. For this to work, the attacker must provide a valid administrator email address and a legitimate nonce. The vulnerability does not occur if the social media login feature is completely disabled or if the plugin is not installed on the site.

Why should I care about this if my WordPress site is internal?

Halo Surface Signal indicates that this vulnerability is highly relevant because WordPress is typically designed for public-facing web applications. While internet-facing instances are at the highest risk, internal sites are not immune; any entity with network access to the web server could potentially trigger the exploit. You should treat it as a significant risk if the site is reachable by anyone other than the intended, verified users.

What are the first steps to secure my environment?

Begin by auditing your server infrastructure to inventory all WordPress installations and identify which ones have the Ultimate Addons for Beaver Builder plugin enabled. Once you have a clear list of affected instances, coordinate with your web development team to restrict access to the site's administrative areas and evaluate the necessity of the social media login feature until a verified update is applied.

References

Written by Nicholas Merritt

Nicholas Merritt is VP of Security Solutions at Halo Security. With more than 25 years across application security, vulnerability prioritization, and offensive security, he helps teams translate threat data into practical exposure validation and remediation focus. He authors Halo Threat Intelligence CVE advisories using Halo Surface Signal and H/A/L/O context to prioritize internet-facing risk.