CVE-2025-8427: 
WordPress vulnerability analysis and mitigation

The Beaver Builder Plugin (Starter Version) for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-8427) discovered on October 23, 2025. The vulnerability affects all versions up to and including 2.9.2.1, specifically through the 'auto_play' parameter (NVD).

The vulnerability stems from insufficient input sanitization and output escaping in the 'auto_play' parameter. This security flaw has been assigned a CVSS v3.1 Base Score of 6.4 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (NVD, Wordfence).

The vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an affected page, potentially compromising user data and website security (NVD).

Users should update to a version newer than 2.9.2.1 when available. The vulnerability has been disclosed to the vendor, and updates can be tracked through the official changelog (Beaver Builder).