Construction Light < 1.6.8 - Subscriber+ Arbitrary Plugin Activation

4.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Description

The Construction Light WordPress theme before 1.6.8 does not have authorisation and CSRF when activating via an AJAX action, allowing any authenticated users, such as subscriber to activate arbitrary .

Basic Information

ID CVE-2025-10684

Source WPScan

Published Dec 12, 2025 at 06:00

Modified Dec 12, 2025 at 15:01

Affected Product

Vendor Unknown

Product Construction Light

Affected Versions Unknown Construction Light 0

CWE Classification

References

wpscan.com /vulnerability/cfabf8b2-30a4-462f-996c-79888a439c09/

{
    "lastseen": "",
    "description": "The Construction Light WordPress theme before 1.6.8 does not have authorisation and CSRF when activating  via an AJAX action, allowing any authenticated users, such as subscriber to activate arbitrary .",
    "published": "2025-12-12T06:00:02.332Z",
    "modified": "2025-12-12T15:01:50.246Z",
    "type": "cve",
    "title": "Construction Light < 1.6.8 - Subscriber+ Arbitrary Plugin Activation",
    "source": "WPScan",
    "references": "https://wpscan.com/vulnerability/cfabf8b2-30a4-462f-996c-79888a439c09/",
    "id": "CVE-2025-10684",
    "bulletinFamily": "",
    "cwe": [
        "",
        ""
    ],
    "cvelist": null,
    "sourceData": "Unknown Construction Light 0",
    "sourceHref": "",
    "cvss": {
        "score": 4.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Construction Light",
    "version": "0",
    "vendor": "Unknown",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Construction Light < 1.6.8 - Subscriber+ Arbitrary Plugin Activation_CVE-2025-10684