WordPress Plugin Vulnerabilities

Custom Layouts – Post + Product grids made easy < 1.5.0 - Missing Authorization

Description

The plugin is vulnerable to unauthorized access due to a missing capability check on a function. This makes it possible for authenticated attackers, with contributor-level access and above, to perform an unauthorized action.

Affects Plugins

Plugin icon
custom-layouts
Fixed in 1.5.0

References

CVE
CVE-2025-62996
URL
https://vdp.patchstack.com/database/Wordpress/Plugin/custom-layouts/vulnerability/wordpress-custom-layouts-post-product-grids-made-easy-plugin-1-4-12-broken-access-control-vulnerability

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
daroo
Verified
No
WPVDB ID
4a4ba913-994a-422c-9b17-0ec4d3bda1f4

Timeline

Publicly Published
2025-12-05 (about 6 months ago)
Added
2025-12-10 (about 6 months ago)
Last Updated
2025-12-16 (about 6 months ago)

Other

Published
Title
Published
2025-07-01
Title
Lead Form Data Collection to CRM < 3.2 - Missing Authorization to Authenticated (Subscriber+) Many Actions
Published
2026-01-20
Title
Creator LMS – The LMS for Creators, Coaches, and Trainers < 1.1.13 - Missing Authorization to Authenticated (Contributor+) Arbitrary Options Update
Published
2025-10-30
Title
ERI File Library < 1.1.1 - Missing Authorization to Unauthenticated Protected File Download
Published
2025-04-04
Title
Course Booking System < 6.1.1 - Missing Authorization
Published
2023-11-01
Title
Funnelforms Free < 3.4.2 - Missing Authorization to Post Modification