CVE-2025-4102
Beaver Builder Plugin (Starter Version) <= 2.9.1 - Authenticated (Administrator+) Arbitrary File UploadThe Beaver Builder Plugin (Starter Version) plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'save_enabled_icons' function in all versions up to, and including, 2.9.1. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The vulnerability was partially patched in version 2.9.1.
We have discovered 91,521 live websites that are affected by CVE-2025-4102.
Affected Software
| Product | |
| Category | Wordpress Themes |
| Vulnerable Domains | 91,521 live websites (100% of Beaver Builder install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 65 versions ( 100% of all versions) |
Common Weakness Enumeration
CWE-434 Unrestricted Upload of File with Dangerous TypeDetails
- Published - Jun 20, 2025
- Updated - Jun 20, 2025
Credits
- Tom Broucke (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-4102 United States | 62,374 websites |
 GB | 5,493 websites |
 Germany | 3,510 websites |
 Netherlands | 3,413 websites |
 Canada | 2,777 websites |
 France | 2,304 websites |
 Australia | 2,073 websites |
 Switzerland | 1,006 websites |
 South Africa | 710 websites |
 Norway | 646 websites |
Website Distribution by TLD
Number of websites using CVE-2025-4102| .com | 56,622 websites |
| .org | 8,232 websites |
| .co.uk | 3,868 websites |
| .nl | 3,197 websites |
| .net | 2,259 websites |
| .de | 2,121 websites |
| .com.au | 1,963 websites |
| .ca | 1,673 websites |
| .fr | 1,113 websites |
| .ch | 814 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-4102
Top websites that are affected by CVE-2025-4102. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ***********.com | United States | *,*** | |
| ********.com | United States | *,*** | |
| ********.com | United States | *,*** | |
| ***************.com | United States | *,*** | |
| ***********************.com | United States | *,*** | |
| ***.***.au | United States | *,*** | |
| ***.edu | United States | *,*** | |
| ***.org | United States | *,*** | |
| ***********************.com | United States | **,*** | |
| *********.com | United States | **,*** |
FAQ
CVE-2025-4102 is Unrestricted Upload of File with Dangerous Type in Beaver Builder
A total of 91,521 websites have been identified as vulnerable to CVE-2025-4102, based on global website indexing conducted by WebTechSurvey.
The Beaver Builder is affected by the CVE-2025-4102 vulnerability.
Beaver Builder versions up to and including 2.9.1 are vulnerable to CVE-2025-4102.