Seatheme Bm Content Builder vulnerabilities
4 known vulnerabilities affecting seatheme/bm_content_builder.
Total CVEs
4
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH2MEDIUM2
Vulnerabilities
Page 1 of 1
CVE-2025-1279P2HIGHCVSS 8.8≤ 3.16.2.12025-04-25
CVE-2025-1279 [HIGH] CWE-862 CVE-2025-1279: The BM Content Builder plugin for WordPress is vulnerable to unauthorized modification of data that
The BM Content Builder plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the ux_cb_tools_import_item_ajax AJAX action in all versions up to, and including, 3.16.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, t
nvd
CVE-2025-59002P3HIGHCVSS 7.7≤ 3.16.3.32025-09-26
CVE-2025-59002 [HIGH] CWE-22 CVE-2025-59002: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in SeaT
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in SeaTheme BM Content Builder bm-builder allows Path Traversal.This issue affects BM Content Builder: from n/a through < 3.16.3.3.
nvd
CVE-2025-69055P3MEDIUMCVSS 6.5≤ 3.16.3.32026-01-22
CVE-2025-69055 [MEDIUM] CWE-22 CVE-2025-69055: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in SeaT
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in SeaTheme BM Content Builder bm-builder allows Path Traversal.This issue affects BM Content Builder: from n/a through < 3.16.3.3.
nvd
CVE-2025-1777P3MEDIUMCVSS 6.4≤ 3.16.2.12025-06-06
CVE-2025-1777 [MEDIUM] CWE-862 CVE-2025-1777: The BM Content Builder plugin for WordPress is vulnerable to unauthorized modification of data to a
The BM Content Builder plugin for WordPress is vulnerable to unauthorized modification of data to a missing capability check on the 'ux_cb_page_options_save' function in all versions up to, and including, 3.16.2.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that w
nvd