CVE-2019-25763 | THREATINT

Description

WordPress Ultimate Addons for Beaver Builder 1.2.4.1 contains an authentication bypass vulnerability that allows attackers to gain unauthorized access by exploiting the social media login form functionality. Attackers can submit a POST request to the admin-ajax.php endpoint with the uabb-lf-google-submit action, a valid administrator email address, and a valid nonce to obtain session cookies and authenticate as that user.

PUBLISHED Reserved 2026-06-20 | Published 2026-06-20 | Updated 2026-06-21 | Assigner VulnCheck

CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

Authentication Bypass Using an Alternate Path or Channel

Product status

Default status

unaffected

Any version

affected

References

www.exploit-db.com/exploits/47832 (ExploitDB-47832) exploit

www.ultimatebeaver.com/ (Official Product Homepage) product

www.vulncheck.com/...or-beaver-builder-authentication-bypass (VulnCheck Advisory: WordPress Ultimate Addons for Beaver Builder 1.2.4.1 Authentication Bypass) third-party-advisory

cve.org (CVE-2019-25763)

nvd.nist.gov (CVE-2019-25763)

Download JSON