CVE-2025-1777 is a vulnerability identified in the SeaTheme BM Content Builder plugin for WordPress, present in all versions up to and including 3.16.2.1. The root cause is a missing authorization check (CWE-862) in the function 'ux_cb_page_options_save', which is responsible for saving page options. This flaw allows authenticated users with minimal privileges (subscriber-level or above) to bypass intended capability restrictions and inject arbitrary JavaScript code into pages. The injected scripts execute in the context of any user who visits the compromised page, effectively enabling persistent cross-site scripting (XSS) attacks. This can lead to session hijacking, theft of sensitive data, or unauthorized actions performed on behalf of users. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting medium severity, with an attack vector over the network, low attack complexity, requiring privileges, no user interaction, and scope change due to impact on other users. No patches or official fixes have been published yet, and no known exploits are reported in the wild. The vulnerability affects a widely used WordPress plugin, increasing the potential attack surface for many websites relying on BM Content Builder for content management.

The vulnerability enables attackers with low-level authenticated access to inject malicious scripts that execute in the browsers of other users visiting the affected pages. This compromises confidentiality by potentially exposing session tokens, cookies, or personal data. Integrity is impacted as attackers can manipulate page content or perform unauthorized actions on behalf of users. Although availability is not directly affected, the trustworthiness and security posture of the affected websites are undermined. Organizations running WordPress sites with the BM Content Builder plugin are at risk of targeted attacks, especially if subscriber accounts are easily obtainable or compromised. The persistent nature of the XSS increases the risk of widespread exploitation, including phishing, malware distribution, or lateral movement within the site. The medium CVSS score reflects the balance between the requirement for authenticated access and the significant impact on other users.

1. Immediately restrict subscriber-level user capabilities to the minimum necessary, and audit existing user accounts for suspicious activity. 2. Monitor and review page content for unauthorized script injections, focusing on pages managed by BM Content Builder. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious script payloads targeting the plugin’s page options functionality. 4. Disable or remove the BM Content Builder plugin if not essential until an official patch is released. 5. Encourage the vendor to release a patch and apply it promptly once available. 6. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected sites. 7. Educate site administrators about the risks of granting subscriber-level access and enforce strong authentication controls. 8. Regularly back up site data to enable recovery from potential compromises. These steps go beyond generic advice by focusing on user privilege management, content monitoring, and proactive WAF and CSP configurations tailored to this plugin’s vulnerability.