CVE-2025-62960

2025-12-18 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 18, 2025 - 17:15 nvd
N/A

Tags

WordPress PHP Authentication Bypass

Description

Missing Authorization vulnerability in sparklewpthemes Construction Light construction-light allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Construction Light: from n/a through <= 1.6.7.

Analysis

Missing authorization controls in sparklewpthemes Construction Light WordPress theme versions 1.6.7 and earlier allow unauthenticated attackers to bypass access restrictions and access resources that should be protected by role-based access control. The vulnerability stems from incorrectly configured access control security levels, potentially exposing sensitive functionality or data to unauthorized users.

Technical Context

Construction Light is a WordPress theme that implements access control mechanisms to restrict certain features or data based on user roles and capabilities. CWE-862 (Missing Authorization) indicates that the theme fails to properly check whether a user has the necessary permissions before granting access to protected resources. This class of vulnerability typically occurs when access control checks are missing from critical code paths, improperly implemented, or bypass-able through direct requests. The vulnerability affects the theme's security layer that should enforce WordPress role-based permissions (admin, editor, author, contributor, subscriber, or unauthenticated).

Affected Products

sparklewpthemes Construction Light WordPress theme versions from an unspecified baseline through version 1.6.7 inclusive. The theme is distributed through the WordPress theme repository and via sparklewpthemes. Detailed vendor advisory and remediation guidance available at https://patchstack.com/database/Wordpress/Theme/construction-light/vulnerability/wordpress-construction-light-theme-1-6-7-broken-access-control-vulnerability.

Remediation

Update sparklewpthemes Construction Light theme to a version newer than 1.6.7 immediately. Site administrators should log into the WordPress dashboard, navigate to Appearance > Themes, and install any available security update for Construction Light. If an update is not yet available in the theme repository, temporarily deactivate and disable the Construction Light theme until a patched version is released by sparklewpthemes. Consult the vendor advisory at Patchstack for confirmation of the fixed version number and timeline. Additionally, audit user roles and capabilities on affected sites to identify whether unauthorized access has occurred.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +0
POC: 0

Share

CVE-2025-62960 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy