CVE-2025-2802

Vulnerability

Overview The LayoutBoxx plugin for WordPress, in all versions up to and including 0.3.1, contains a vulnerability that permits arbitrary shortcode execution. The root cause is that the plugin passes a user-supplied value directly to the do_shortcode() function without proper validation or sanitization [1]. This oversight allows an attacker to inject and execute any WordPress shortcode, including those that may perform sensitive operations.

Exploitation

Conditions Exploitation does not require authentication; an unauthenticated attacker can trigger the vulnerable action by sending a crafted request to the WordPress instance. The plugin's code shows that the do_shortcode call is made within a shortcode handler, but the vulnerability lies in the lack of input validation before that call [1]. No special privileges or network position beyond standard web access are needed.

Impact

Successful exploitation enables an attacker to execute arbitrary shortcodes. Depending on the available shortcodes (including those from other plugins or core), this could lead to privilege escalation, data exfiltration, or other malicious actions. The severity is rated High (CVSS 7.3) due to the low attack complexity and no required privileges.

Mitigation

Status As of the publication date (2025-05-06), no patched version has been released. Users are advised to disable or remove the LayoutBoxx plugin until a fix is available. The vulnerability is not yet listed in CISA's Known Exploited Vulnerabilities catalog, but given the ease of exploitation, immediate action is recommended.