CVE-2025-12937 identifies a missing authorization vulnerability (CWE-862) in the ACF Flexible Layouts Manager plugin for WordPress, maintained by valentinpellegrin. The vulnerability exists in all versions up to and including 1.1.6, specifically in the function 'acf_flm_update_template_with_pasted_layout'. This function lacks proper capability checks, allowing unauthenticated attackers to send crafted requests that update custom field values on individual posts and pages. Since WordPress custom fields often control dynamic content and layout, unauthorized modifications can lead to data integrity issues and potential misinformation or content defacement. The vulnerability is remotely exploitable over the network without any authentication or user interaction, increasing its risk profile. The CVSS v3.1 base score is 6.5 (medium), reflecting low attack complexity and no privileges required, but limited impact on confidentiality and integrity and no impact on availability. No patches or exploit code are currently publicly available, and no known active exploitation has been reported. However, the vulnerability's presence in a popular WordPress plugin used widely for content management makes it a significant concern for website operators.

For European organizations, this vulnerability poses a risk primarily to the integrity and confidentiality of website content managed via WordPress using the ACF Flexible Layouts Manager plugin. Attackers can alter custom field data, potentially injecting misleading information, defacing pages, or manipulating site behavior. This could damage brand reputation, misinform users, or facilitate further attacks such as phishing or malware distribution. While availability is not directly impacted, the indirect effects of content tampering could lead to loss of customer trust and regulatory scrutiny, especially under GDPR if personal data integrity is compromised. Organizations relying on WordPress for public-facing or internal content management should be vigilant. The risk is heightened for sectors with high visibility or regulatory requirements, such as government, finance, healthcare, and media within Europe.

Since no official patch is currently available, organizations should implement compensating controls immediately. These include restricting access to WordPress admin and REST API endpoints via IP whitelisting or web application firewalls (WAFs) to block unauthorized POST requests targeting the vulnerable function. Monitoring and logging all requests to the 'acf_flm_update_template_with_pasted_layout' endpoint can help detect suspicious activity. Administrators should review user roles and capabilities to ensure no excessive permissions are granted. Applying the principle of least privilege to all WordPress users is critical. Once a patch is released, prompt updating of the plugin to the fixed version is essential. Additionally, organizations should conduct regular integrity checks on critical content and maintain backups to enable quick restoration if unauthorized changes occur. Security awareness training for site administrators about this vulnerability and safe plugin management practices is also recommended.