PT-2025-50885 · WordPress · Construction Light
Khaled Alenazi
·
Published
2025-12-12
·
Updated
2026-01-09
·
CVE-2025-10684
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Construction Light WordPress theme versions prior to 1.6.8
Description
The Construction Light WordPress theme lacks proper authorization and Cross-Site Request Forgery (CSRF) protection when activated through an AJAX action. This allows any authenticated user, even those with limited privileges like a subscriber, to activate arbitrary functionality. The vulnerable action involves an AJAX request that does not verify user permissions or include CSRF tokens, enabling unauthorized activation of features.
Recommendations
Update the Construction Light WordPress theme to version 1.6.8 or later.
Exploit
Fix
Improper Authentication
CSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Construction Light