Skip to main content

CVE-2025-62960

MEDIUM
Missing Authorization (CWE-862)
2025-12-18 audit@patchstack.com
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:43 NVD
5.4 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 18, 2025 - 17:15 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in sparklewpthemes Construction Light construction-light allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Construction Light: from n/a through <= 1.6.7.

AnalysisAI

Missing authorization controls in sparklewpthemes Construction Light WordPress theme versions 1.6.7 and earlier allow unauthenticated attackers to bypass access restrictions and access resources that should be protected by role-based access control. The vulnerability stems from incorrectly configured access control security levels, potentially exposing sensitive functionality or data to unauthorized users.

Technical ContextAI

Construction Light is a WordPress theme that implements access control mechanisms to restrict certain features or data based on user roles and capabilities. CWE-862 (Missing Authorization) indicates that the theme fails to properly check whether a user has the necessary permissions before granting access to protected resources. This class of vulnerability typically occurs when access control checks are missing from critical code paths, improperly implemented, or bypass-able through direct requests. The vulnerability affects the theme's security layer that should enforce WordPress role-based permissions (admin, editor, author, contributor, subscriber, or unauthenticated).

Affected ProductsAI

sparklewpthemes Construction Light WordPress theme versions from an unspecified baseline through version 1.6.7 inclusive. The theme is distributed through the WordPress theme repository and via sparklewpthemes. Detailed vendor advisory and remediation guidance available at https://patchstack.com/database/Wordpress/Theme/construction-light/vulnerability/wordpress-construction-light-theme-1-6-7-broken-access-control-vulnerability.

RemediationAI

Update sparklewpthemes Construction Light theme to a version newer than 1.6.7 immediately. Site administrators should log into the WordPress dashboard, navigate to Appearance > Themes, and install any available security update for Construction Light. If an update is not yet available in the theme repository, temporarily deactivate and disable the Construction Light theme until a patched version is released by sparklewpthemes. Consult the vendor advisory at Patchstack for confirmation of the fixed version number and timeline. Additionally, audit user roles and capabilities on affected sites to identify whether unauthorized access has occurred.

Share

CVE-2025-62960 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy