CVE-2025-62960

The Construction Light theme for WordPress versions up to 1.6.7 contains a missing authorization vulnerability. This means that certain functions or endpoints lack proper access control checks, allowing exploitation of incorrectly configured security levels [1].

The vulnerability can be exploited by unauthenticated attackers who can send crafted requests to the vulnerable endpoints. No authentication is required, and the attack vector is network-based. The low CVSS score of 5.4 indicates medium severity, but the reference notes that such vulnerabilities are often used in mass-exploit campaigns targeting thousands of websites [1].

Successful exploitation could allow an attacker to perform actions that should be restricted to higher-privileged users, such as modifying settings or accessing sensitive data. The exact impact depends on the specific missing authorization, but it could lead to unauthorized changes or information disclosure [1].

The theme has not been updated for 5 months and is unlikely to receive patches. The recommended action is to remove and replace the theme with a supported alternative. Deactivating the theme does not remove the security threat unless a mitigation rule (e.g., from Patchstack) is deployed [1].