CVE-2025-62960 is a vulnerability classified under CWE-862 (Missing Authorization) found in the Sparkle WP Construction Light plugin for WordPress, affecting versions up to 1.6.7. This flaw arises due to incorrectly configured access control mechanisms, which fail to properly verify whether a user has the necessary permissions before allowing certain actions. As a result, an attacker with limited privileges (e.g., a low-level authenticated user) can exploit this vulnerability to perform unauthorized operations that can alter data or disrupt service availability. The vulnerability is remotely exploitable over the network without requiring user interaction, but it does require the attacker to have some level of authenticated access (PR:L). The CVSS v3.1 base score is 5.4, indicating a medium severity level, with attack vector being network (AV:N), low attack complexity (AC:L), privileges required (PR:L), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), low integrity impact (I:L), and low availability impact (A:L). There are no known exploits in the wild at this time, and no official patches have been linked yet. The vulnerability could allow attackers to manipulate or disrupt plugin functionality, potentially affecting the integrity and availability of the affected WordPress sites. Given the plugin’s niche use in construction-related WordPress sites, the exposure is somewhat limited but still significant for affected organizations.

For European organizations, the impact of CVE-2025-62960 can be significant in sectors relying on the Construction Light plugin for project management or client-facing websites. Unauthorized actions enabled by this vulnerability could lead to data integrity issues, such as unauthorized modification or deletion of construction project data, which can disrupt business operations and client trust. Availability impacts, although low, could cause temporary service disruptions affecting project timelines. Since the vulnerability requires some level of authentication, insider threats or compromised low-privilege accounts pose a risk. The absence of confidentiality impact reduces the risk of data leakage but does not eliminate the risk of operational disruption. Organizations in Europe with digital construction services or client portals using WordPress and this plugin should consider this vulnerability a moderate operational risk that could affect business continuity and reputation.

1. Immediately review and restrict user roles and permissions within WordPress to ensure the principle of least privilege is enforced, especially for users with access to the Construction Light plugin. 2. Monitor logs for unusual activities related to the plugin, such as unauthorized attempts to access or modify construction data. 3. Until an official patch is released, consider disabling or limiting the use of the Construction Light plugin in environments where strict access control cannot be guaranteed. 4. Implement Web Application Firewall (WAF) rules to detect and block suspicious requests targeting the plugin’s endpoints. 5. Regularly update WordPress core and all plugins to the latest versions once patches become available. 6. Conduct security audits focusing on access control configurations within WordPress and the plugin. 7. Educate users about the risks of privilege misuse and enforce strong authentication mechanisms to reduce the risk of account compromise.