CVE-2025-4102: 
WordPress vulnerability analysis and mitigation

The Beaver Builder Plugin (Starter Version) for WordPress contains an arbitrary file upload vulnerability (CVE-2025-4102) in the 'saveenabledicons' function affecting all versions up to and including 2.9.1. The vulnerability was discovered by Tom Broucke from Otomaties and was publicly disclosed on June 19, 2025 (NVD, Wordfence).

The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) and has received a CVSS v3.1 base score of 7.2 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The issue stems from missing file type validation in the 'saveenabledicons' function, which fails to properly validate uploaded files (NVD).

If exploited, this vulnerability allows authenticated attackers with Administrator-level access to upload arbitrary files to the affected site's server, potentially enabling remote code execution. This could lead to complete system compromise with high impacts on confidentiality, integrity, and availability (NVD).

The vulnerability was partially patched in version 2.9.1 of the Beaver Builder Plugin. Users are advised to update to this version or later to mitigate the risk. The fix includes improvements to prevent PHP files from being uploaded regardless of directory (Beaver Builder).