The vulnerability identified as CVE-2025-1279 affects the BM Content Builder plugin developed by SeaTheme for WordPress, present in all versions up to and including 3.16.2.1. The root cause is a missing capability check (authorization) on the AJAX action named ux_cb_tools_import_item_ajax. This flaw allows any authenticated user with at least Subscriber-level privileges to invoke this AJAX endpoint and modify arbitrary WordPress options. Specifically, an attacker can alter the 'default_role' option to 'administrator' and enable user registration, which is typically disabled or restricted. By doing so, the attacker can register new accounts that automatically receive administrative privileges, effectively escalating their access rights from a low-privilege user to a full administrator. The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network. The CVSS v3.1 base score is 8.8, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and privileges required. Although no public exploits have been reported yet, the vulnerability is critical due to the widespread use of WordPress and the plugin’s presence in many sites. The CWE classification is CWE-862 (Missing Authorization), indicating a failure to properly verify user permissions before allowing sensitive operations. This vulnerability can lead to complete site compromise if exploited.

The impact of CVE-2025-1279 is severe for organizations running WordPress sites with the BM Content Builder plugin. Attackers with minimal privileges can escalate to full administrative control, enabling them to manipulate site content, install malicious plugins or backdoors, steal sensitive data, or disrupt site availability. This can lead to data breaches, defacement, loss of customer trust, and potential regulatory penalties. The ability to change default registration roles also facilitates persistent unauthorized access, making remediation more difficult. Given WordPress’s dominant market share in content management systems globally, this vulnerability could affect a large number of websites, including corporate, governmental, and e-commerce platforms. The compromise of administrative accounts can also be leveraged for lateral movement within organizational networks if the WordPress site is integrated with internal systems. The absence of known exploits in the wild suggests a window of opportunity for defenders to patch and mitigate before active exploitation occurs.

Organizations should immediately verify if they use the SeaTheme BM Content Builder plugin and identify the version installed. Since no official patch links are provided yet, administrators should consider the following mitigations: 1) Temporarily disable or restrict access to the plugin’s AJAX endpoints via web application firewall (WAF) rules or server-level access controls, limiting access to trusted IPs or blocking the ux_cb_tools_import_item_ajax action. 2) Restrict user roles and permissions to minimize the number of users with Subscriber or higher access, and audit existing user accounts for suspicious registrations or privilege changes. 3) Disable user registration if not required, or enforce strict registration controls such as CAPTCHA and email verification. 4) Monitor WordPress logs and plugin activity for unusual option updates or AJAX requests targeting the vulnerable endpoint. 5) Once a patch is released by SeaTheme, apply it promptly. 6) Consider implementing multi-factor authentication (MFA) for all administrative accounts to reduce risk of account takeover. 7) Regularly back up WordPress site data and configurations to enable recovery in case of compromise.