We’re taking on a small number of new builds and rebuilds this quarter. Book a call to see if your project is a fit.

CVE CVE-2025-10684

CVE-2025-10684

WordPress

Severity: MEDIUM
CVSS: 4.3CVSS
Published: 2025-12-12
Last modified: 2026-01-09
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CWE: CWE-287CWE-352

Description

The Construction Light WordPress theme before 1.6.8 does not have authorisation and CSRF when activating via an AJAX action, allowing any authenticated users, such as subscriber to activate arbitrary .

References

https://wpscan.com/vulnerability/cfabf8b2-30a4-462f-996c-79888a439c09/

Summary

Description

References