Search criteria
1 vulnerability by valentinpellegrin
CVE-2025-12937 (GCVE-0-2025-12937)
Vulnerability from cvelistv5 – Published: 2025-11-18 08:27 – Updated: 2026-04-08 17:09
VLAI
Title
ACF Flexible Layouts Manager <= 1.1.6 - Missing Authorization to Unauthenticated Custom Field Update
Summary
The ACF Flexible Layouts Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'acf_flm_update_template_with_pasted_layout' function in all versions up to, and including, 1.1.6. This makes it possible for unauthenticated attackers to update custom field values on individual posts and pages.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| valentinpellegrin | ACF Flexible Layouts Manager |
Affected:
0 , ≤ 1.1.6
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12937",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-18T14:26:10.814008Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T14:26:17.607Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ACF Flexible Layouts Manager",
"vendor": "valentinpellegrin",
"versions": [
{
"lessThanOrEqual": "1.1.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ahmad Salem"
}
],
"descriptions": [
{
"lang": "en",
"value": "The ACF Flexible Layouts Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the \u0027acf_flm_update_template_with_pasted_layout\u0027 function in all versions up to, and including, 1.1.6. This makes it possible for unauthenticated attackers to update custom field values on individual posts and pages."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:09:13.734Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/915cce97-8305-4249-b2d3-c4da2f59a95a?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/acf-flexible-layouts-manager/trunk/includes/ajax/ajax-paste.php#L4"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-11-17T20:17:22.000Z",
"value": "Disclosed"
}
],
"title": "ACF Flexible Layouts Manager \u003c= 1.1.6 - Missing Authorization to Unauthenticated Custom Field Update"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-12937",
"datePublished": "2025-11-18T08:27:34.186Z",
"dateReserved": "2025-11-10T02:53:58.874Z",
"dateUpdated": "2026-04-08T17:09:13.734Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}