CVE-2025-62960
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in sparklewpthemes Construction Light construction-light allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Construction Light: from n/a through <= 1.6.7.
AnalysisAI
Missing authorization controls in sparklewpthemes Construction Light WordPress theme versions 1.6.7 and earlier allow unauthenticated attackers to bypass access restrictions and access resources that should be protected by role-based access control. The vulnerability stems from incorrectly configured access control security levels, potentially exposing sensitive functionality or data to unauthorized users.
Technical ContextAI
Construction Light is a WordPress theme that implements access control mechanisms to restrict certain features or data based on user roles and capabilities. CWE-862 (Missing Authorization) indicates that the theme fails to properly check whether a user has the necessary permissions before granting access to protected resources. This class of vulnerability typically occurs when access control checks are missing from critical code paths, improperly implemented, or bypass-able through direct requests. The vulnerability affects the theme's security layer that should enforce WordPress role-based permissions (admin, editor, author, contributor, subscriber, or unauthenticated).
Affected ProductsAI
sparklewpthemes Construction Light WordPress theme versions from an unspecified baseline through version 1.6.7 inclusive. The theme is distributed through the WordPress theme repository and via sparklewpthemes. Detailed vendor advisory and remediation guidance available at https://patchstack.com/database/Wordpress/Theme/construction-light/vulnerability/wordpress-construction-light-theme-1-6-7-broken-access-control-vulnerability.
RemediationAI
Update sparklewpthemes Construction Light theme to a version newer than 1.6.7 immediately. Site administrators should log into the WordPress dashboard, navigate to Appearance > Themes, and install any available security update for Construction Light. If an update is not yet available in the theme repository, temporarily deactivate and disable the Construction Light theme until a patched version is released by sparklewpthemes. Consult the vendor advisory at Patchstack for confirmation of the fixed version number and timeline. Additionally, audit user roles and capabilities on affected sites to identify whether unauthorized access has occurred.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today