Overview
CVE-2025-12937 is a medium-severity vulnerability affecting the ACF Flexible Layouts Manager plugin for WordPress. Specifically, versions up to and including 1.1.6 are susceptible to unauthorized modification of data due to a missing capability check on the acf_flm_update_template_with_pasted_layout function. This flaw allows unauthenticated attackers to update custom field values on individual posts and pages, potentially leading to site defacement, data breaches, or other malicious activities.
Technical Details
The vulnerability lies within the acf_flm_update_template_with_pasted_layout function, which is designed to handle the pasting of layout templates. The core issue is the absence of a capability check before executing the update operation. This means that any user (or even an unauthenticated visitor) can trigger this function and, with appropriately crafted requests, modify the custom fields associated with posts and pages. The function is accessible via an AJAX endpoint.
The vulnerable code is located (as of version 1.1.6) in includes/ajax/ajax-paste.php. The crucial missing check means that the function blindly processes any data sent to it, without verifying if the user has the necessary permissions to modify the target post’s custom fields.
Here’s a snippet illustrating the area of concern (taken from ajax-paste.php):
// [Simplified for demonstration - actual code may vary]
function acf_flm_update_template_with_pasted_layout() {
// MISSING CAPABILITY CHECK HERE!
$post_id = $_POST['post_id'];
$field_key = $_POST['field_key'];
$new_layout = $_POST['new_layout'];
// ... (rest of the code that updates the custom fields)
}
CVSS Analysis
The vulnerability has been assigned a CVSS score of 6.5, indicating a MEDIUM severity. The CVSS vector likely includes components reflecting the following:
- Attack Vector (AV): N – Network: The vulnerability can be exploited over the network.
- Attack Complexity (AC): L – Low: The attack requires little specialized access or conditions.
- Privileges Required (PR): N – None: No privileges are required to exploit the vulnerability. This is the critical factor leading to the medium severity.
- User Interaction (UI): N – None: No user interaction is required.
- Scope (S): U – Unchanged: An exploited vulnerability cannot affect resources beyond the security scope managed by the security authority.
- Confidentiality Impact (C): N – None: There is no impact to confidentiality.
- Integrity Impact (I): H – High: There is a high impact to integrity. Data can be modified.
- Availability Impact (A): N – None: There is no impact to availability.
Therefore, a likely CVSS vector string would be: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Possible Impact
The exploitation of CVE-2025-12937 can have significant consequences:
- Website Defacement: Attackers can modify the content of posts and pages, leading to website defacement.
- Data Manipulation: Critical information stored in custom fields can be altered or deleted.
- SEO Poisoning: Malicious actors can inject keywords and links into the website’s content, harming its search engine ranking.
- Phishing Campaigns: Modified pages can be used to host phishing forms, tricking users into providing sensitive information.
- Backdoor Creation: Attackers may potentially inject malicious code or scripts into custom fields, leading to the creation of backdoors.
Mitigation and Patch Steps
- Update the Plugin: The primary mitigation is to update the ACF Flexible Layouts Manager plugin to the latest version. A patched version should address the missing capability check. Check the WordPress plugin repository for updates.
- Temporary Workaround (if no patch is available): If an update isn’t immediately available, consider temporarily disabling the plugin until a patch is released. However, this will remove the functionality provided by the plugin.
- Web Application Firewall (WAF): Implement a web application firewall (WAF) and configure rules to block suspicious requests targeting the
acf_flm_update_template_with_pasted_layoutfunction. This can provide a layer of protection while awaiting a plugin update. - Monitor Website Activity: Closely monitor website activity for any unusual modifications to posts, pages, or custom field data.
