CVE-2025-1279 is a vulnerability identified in the BM Content Builder plugin developed by SeaTheme for WordPress, affecting all versions up to and including 3.16.2.1. The core issue is a missing authorization check (CWE-862) on the AJAX action 'ux_cb_tools_import_item_ajax'. This flaw allows authenticated users with minimal privileges—specifically those with Subscriber-level access or higher—to perform unauthorized modifications to site options. Exploiting this vulnerability, an attacker can alter the default user role assigned upon registration to 'administrator' and enable user registration functionality if it is disabled. Consequently, this enables the attacker to create new administrative accounts, effectively escalating their privileges to full site administrator. The vulnerability arises because the plugin fails to verify whether the requesting user has the necessary capabilities to perform the import item AJAX action, allowing privilege escalation through manipulation of WordPress options. Although no public exploits are currently known, the vulnerability poses a significant risk due to the ease of exploitation by any authenticated user with low-level access. The absence of a patch at the time of reporting further increases the risk to affected sites. This vulnerability impacts the confidentiality, integrity, and availability of WordPress sites using the BM Content Builder plugin, as attackers can gain full administrative control, potentially leading to data theft, site defacement, or complete site takeover.

European organizations using WordPress sites with the BM Content Builder plugin are at risk of unauthorized privilege escalation attacks. Given WordPress's widespread use across European businesses, government agencies, and non-profits, this vulnerability could lead to significant impacts including unauthorized data access, manipulation of website content, and disruption of services. Attackers gaining administrative access can implant malware, exfiltrate sensitive data, or disrupt operations, which is particularly critical for organizations handling personal data under GDPR regulations. The ability to create new administrator accounts undermines the integrity and trustworthiness of affected websites, potentially damaging reputation and leading to regulatory penalties. Additionally, sectors such as e-commerce, media, and public services relying on WordPress for content management are vulnerable to service interruptions and data breaches. The medium severity rating reflects the requirement for authenticated access, but the low privilege needed to exploit the vulnerability increases the threat surface considerably.

1. Immediate mitigation involves restricting user roles to only trusted individuals and reviewing current user permissions to ensure no unnecessary Subscriber or higher-level accounts exist. 2. Disable user registration temporarily if not required to reduce attack vectors. 3. Monitor WordPress logs for suspicious AJAX requests targeting 'ux_cb_tools_import_item_ajax' and unusual changes to site options, especially default user roles. 4. Implement Web Application Firewall (WAF) rules to detect and block unauthorized AJAX requests related to this plugin. 5. Apply principle of least privilege by limiting plugin usage to essential sites only and consider disabling or uninstalling BM Content Builder if not critical. 6. Stay alert for official patches or updates from SeaTheme and apply them promptly once available. 7. Conduct regular security audits and penetration tests focusing on plugin vulnerabilities and privilege escalation paths. 8. Educate site administrators about the risks of privilege escalation and the importance of monitoring user role changes.