CVE-2025-1777

Description

The BM Content Builder plugin for WordPress is vulnerable to unauthorized modification of data to a missing capability check on the ux_cb_page_options_save function in all versions up to, and including, 3.16.2.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.