The vulnerability identified as CVE-2025-12937 affects the ACF Flexible Layouts Manager plugin for WordPress, specifically versions up to and including 1.1.6. The root cause is a missing authorization check (CWE-862) in the function 'acf_flm_update_template_with_pasted_layout', which is responsible for updating templates with pasted layouts. Due to this missing capability check, unauthenticated attackers can remotely invoke this function to modify custom field values on individual posts and pages without any authentication or user interaction. This unauthorized modification can lead to data integrity issues, as attackers may alter content or metadata that rely on these custom fields. The vulnerability is remotely exploitable over the network (AV:N), requires low attack complexity (AC:L), no privileges (PR:N), and no user interaction (UI:N), with a scope limited to the vulnerable plugin's data (S:U). The CVSS v3.1 base score is 6.5, indicating a medium severity level. No patches or fixes have been linked yet, and no known exploits are reported in the wild. The vulnerability's impact primarily affects the confidentiality and integrity of WordPress site content managed via this plugin, potentially enabling attackers to manipulate website data stealthily.

The primary impact of CVE-2025-12937 is unauthorized modification of custom field data on WordPress posts and pages, which can compromise the integrity and confidentiality of website content. Attackers could alter displayed information, inject misleading or malicious content, or disrupt site functionality that depends on these custom fields. This can damage organizational reputation, misinform users, and potentially facilitate further attacks such as phishing or malware distribution if content is manipulated. Since the vulnerability requires no authentication and no user interaction, it can be exploited at scale by automated tools, increasing risk for all affected sites. Organizations relying on the ACF Flexible Layouts Manager plugin for critical content management are particularly vulnerable. Although availability is not directly impacted, the integrity breach can lead to indirect service disruptions or loss of trust. The absence of known exploits currently reduces immediate risk, but the vulnerability remains a significant threat until patched.

Organizations should immediately verify if their WordPress installations use the ACF Flexible Layouts Manager plugin, especially versions up to 1.1.6. Until an official patch is released, administrators should consider disabling or removing the plugin to eliminate exposure. If removal is not feasible, restricting access to WordPress admin-ajax.php or other endpoints handling the vulnerable function via web application firewalls (WAFs) or IP whitelisting can reduce attack surface. Monitoring web server logs for suspicious POST requests targeting the vulnerable function may help detect exploitation attempts. Implementing strict capability checks by customizing plugin code or applying temporary patches to enforce authorization on the 'acf_flm_update_template_with_pasted_layout' function is recommended for advanced users. Regular backups of site content and custom fields should be maintained to enable recovery from unauthorized modifications. Finally, stay alert for vendor updates or security advisories providing official patches and apply them promptly.