CVE-2025-12937 identifies a missing authorization vulnerability (CWE-862) in the ACF Flexible Layouts Manager plugin for WordPress, developed by valentinpellegrin. The vulnerability affects all versions up to and including 1.1.6. Specifically, the function 'acf_flm_update_template_with_pasted_layout' lacks proper capability checks, allowing unauthenticated attackers to update custom field values on individual posts and pages. This means that an attacker can send crafted requests to the plugin's endpoint to modify content fields without any authentication or user interaction. The vulnerability impacts the integrity of website content, as unauthorized modifications could lead to misinformation, defacement, or insertion of malicious content. The CVSS 3.1 base score is 6.5, with vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N, indicating network attack vector, low attack complexity, no privileges or user interaction required, and limited confidentiality and integrity impact without availability impact. No patches or known exploits are currently documented, but the vulnerability is publicly disclosed and should be considered exploitable. The plugin is used within WordPress environments, which are widely deployed across many organizations, making this a relevant threat to web infrastructure relying on this plugin for flexible layout management.

For European organizations, the vulnerability poses a risk to the integrity of web content managed via the ACF Flexible Layouts Manager plugin. Unauthorized modification of custom fields could lead to misinformation, defacement, or insertion of malicious scripts, potentially damaging brand reputation and user trust. While the vulnerability does not directly impact availability or confidentiality, the integrity compromise can facilitate further attacks such as phishing or malware distribution. Organizations relying on WordPress sites with this plugin, especially those handling sensitive or public-facing content, may face reputational damage and operational disruption. Given the ease of exploitation without authentication, attackers can target vulnerable sites en masse. The impact is particularly significant for sectors with high web presence such as media, e-commerce, and government portals in Europe. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, as attackers may develop exploits following public disclosure.

1. Monitor the plugin vendor’s official channels for patches addressing CVE-2025-12937 and apply updates promptly once available. 2. Until patches are released, restrict access to the plugin’s endpoints by implementing web application firewall (WAF) rules that block unauthorized POST requests to the affected function or related URLs. 3. Limit administrative and editing privileges within WordPress to trusted users only, reducing the attack surface. 4. Employ intrusion detection systems to monitor for unusual modifications to custom fields or posts. 5. Regularly audit WordPress plugin usage and remove or disable unused or unnecessary plugins. 6. Consider isolating critical WordPress instances behind VPNs or IP whitelisting to reduce exposure. 7. Educate web administrators about this vulnerability and encourage vigilance for suspicious content changes. 8. Backup website content regularly to enable quick restoration if unauthorized modifications occur.