CVE-2025-11726 identifies a Missing Authorization vulnerability (CWE-862) in the Beaver Builder Page Builder plugin for WordPress, specifically affecting all versions up to 2.9.4. The vulnerability stems from insufficient capability checks in REST API endpoints under the 'fl-controls/v1' namespace, which manage site-wide Global Presets such as global color and background settings. These endpoints fail to properly verify whether the authenticated user has the necessary permissions to modify these presets. As a result, any authenticated user with contributor-level access or higher can add, modify, or delete global presets that influence the appearance of all Beaver Builder content across the website. This can lead to unauthorized changes in site-wide styling, potentially causing brand defacement, user confusion, or reputational damage. The vulnerability does not affect confidentiality or availability directly but impacts the integrity of site content. Exploitation requires authentication but no additional user interaction, and the attack can be performed remotely via crafted REST API requests. No public exploits are currently known. The CVSS v3.1 base score is 4.3 (medium severity), reflecting a network attack vector with low complexity, requiring privileges but no user interaction, and limited to integrity impact. The vulnerability highlights the importance of strict authorization checks in REST API endpoints, especially those controlling global site settings. Organizations using Beaver Builder should monitor for updates or patches and consider restricting contributor permissions as a temporary mitigation.

For European organizations, this vulnerability poses a moderate risk primarily to the integrity of WordPress sites using Beaver Builder. Unauthorized modification of global presets can lead to widespread visual changes across the site, potentially undermining brand consistency and user trust. This could be exploited for defacement, misinformation, or to facilitate social engineering attacks by altering site appearance. While confidentiality and availability are not directly affected, the reputational damage and potential loss of customer confidence can have significant business impacts. Organizations with contributor-level users who have access to WordPress backends are particularly at risk. Given the widespread use of WordPress and Beaver Builder in Europe, especially among SMEs and digital agencies, the vulnerability could affect a broad range of sectors including e-commerce, media, and public services. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits post-disclosure. The vulnerability also underscores the need for strict role-based access controls and monitoring of REST API usage in WordPress environments.

1. Immediately audit and minimize the number of users with contributor-level or higher access on WordPress sites using Beaver Builder. 2. Implement strict role-based access controls to ensure only trusted users can modify site-wide presets. 3. Monitor REST API traffic for unusual or unauthorized requests targeting the 'fl-controls/v1' namespace. 4. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious REST API calls related to Beaver Builder global presets. 5. Regularly back up site configurations and global presets to enable quick restoration in case of unauthorized changes. 6. Stay informed about Beaver Builder plugin updates and apply patches promptly once released to address this vulnerability. 7. Consider temporarily disabling or restricting REST API access for lower-privileged users if feasible. 8. Educate site administrators and contributors about the risks of unauthorized modifications and encourage strong authentication practices. 9. Use security plugins that can enforce additional authorization checks or alert on configuration changes within WordPress. 10. Conduct periodic security reviews of WordPress plugins and their permissions to identify and remediate similar issues proactively.