CVE-2025-62996

Vulnerability

Overview

The Custom Layouts – Post + Product grids made easy plugin for WordPress contains a missing authorization vulnerability in versions up to and including 1.4.12 [1]. This flaw arises from incorrectly configured access control security levels, allowing functions to be executed without proper permission checks. As a result, an attacker with minimal privileges can exploit this broken access control to perform actions reserved for higher-privileged users [1].

Exploitation

Details

Exploitation requires an authenticated user account with low-level access, such as a subscriber or contributor. No special network position is needed beyond standard WordPress access. The attack vector is through WordPress admin-ajax or similar endpoints that lack nonce or capability checks. The vulnerability is considered low severity but is reportedly used in mass-exploit campaigns targeting thousands of websites [1].

Impact

Successful exploitation allows an unprivileged user to modify custom layouts, insert malicious content, or perform other unauthorized actions within the plugin’s context. This could lead to site defacement, data tampering, or further privilege escalation depending on the plugin’s capabilities [1].

Mitigation

The vendor has released version 1.5.0 which resolves the vulnerability by implementing proper authorization checks. Users are strongly advised to update immediately. For those unable to update, applying a Web Application Firewall (WAF) rule or contacting hosting providers for assistance is recommended [1].