CVE-2025-2802 Overview
CVE-2025-2802 affects the LayoutBoxx plugin for WordPress in all versions up to and including 0.3.1. The plugin exposes an action that passes user-supplied input to do_shortcode without proper validation. Unauthenticated attackers can invoke arbitrary WordPress shortcodes against vulnerable sites over the network. The flaw is classified under CWE-94: Improper Control of Generation of Code and stems from missing input validation on a publicly reachable handler.
Critical Impact
Unauthenticated remote attackers can execute arbitrary shortcodes on any WordPress site running LayoutBoxx 0.3.1 or earlier, enabling abuse of any registered shortcode on the site.
Affected Products
- WordPress LayoutBoxx plugin versions 0.0 through 0.3.1
- WordPress sites with LayoutBoxx installed and activated
- Any WordPress instance that registers privileged shortcodes alongside LayoutBoxx
Discovery Timeline
- 2025-05-06 - CVE-2025-2802 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-2802
Vulnerability Analysis
The LayoutBoxx plugin registers an action handler that accepts a value from the request and forwards it to WordPress's do_shortcode function. The handler does not validate or restrict the supplied value, so any shortcode registered on the site can be triggered. WordPress shortcodes can execute privileged operations depending on the plugins installed, including content rendering, file inclusion, and data retrieval. Because the entry point requires no authentication, attackers can reach it directly over HTTP. The issue is tracked under [CWE-94] and reported in the Wordfence Vulnerability Report. EPSS data places exploitation probability at 1.35% in the 80th percentile, indicating elevated interest relative to the broader CVE population.
Root Cause
The plugin invokes do_shortcode on attacker-controlled input without an allow-list, capability check, or nonce verification. WordPress treats the resulting string as a fully trusted shortcode expression and dispatches it to any matching handler.
Attack Vector
An unauthenticated attacker sends a crafted HTTP request to the LayoutBoxx action endpoint with a shortcode payload in the vulnerable parameter. The server resolves the shortcode and returns or processes the result. Attackers chain this primitive with other installed plugins that expose sensitive shortcodes to escalate impact. See the plugin source on the WordPress SVN repository for the vulnerable handler.
No verified public proof-of-concept code is available. Refer to the Wordfence advisory for additional technical context.
Detection Methods for CVE-2025-2802
Indicators of Compromise
- HTTP requests to admin-ajax.php or LayoutBoxx action endpoints containing shortcode syntax such as [ and ] in unexpected parameters
- Unauthenticated POST or GET requests referencing LayoutBoxx actions from external IP addresses
- Web server logs showing repeated probing of LayoutBoxx parameters with varying shortcode names
Detection Strategies
- Inspect WordPress access logs for requests targeting LayoutBoxx AJAX actions without an authenticated session cookie
- Alert on request bodies or query strings containing bracketed shortcode tokens directed at plugin endpoints
- Correlate spikes in admin-ajax.php traffic with the presence of LayoutBoxx versions 0.3.1 or earlier
Monitoring Recommendations
- Enable WordPress audit logging to capture shortcode execution and plugin action invocations
- Forward web server and PHP error logs to a centralized SIEM for retention and correlation
- Track installed plugin inventory and version drift across WordPress fleets
How to Mitigate CVE-2025-2802
Immediate Actions Required
- Deactivate and remove the LayoutBoxx plugin until a patched release is verified through the WordPress plugin directory
- Apply a web application firewall rule that blocks shortcode syntax in requests to LayoutBoxx action endpoints
- Audit installed plugins for shortcodes that perform privileged operations and restrict their use
Patch Information
No fixed version is identified in the NVD record at time of publication. Monitor the LayoutBoxx developer page and the Wordfence Vulnerability Report for updates beyond version 0.3.1.
Workarounds
- Remove the plugin entirely if business requirements allow, since no patched version is confirmed
- Restrict access to wp-admin/admin-ajax.php from untrusted networks using WAF or reverse proxy rules
- Disable or unregister high-risk shortcodes from other plugins via remove_shortcode in a custom mu-plugin
# Example WP-CLI commands to deactivate and remove the vulnerable plugin
wp plugin deactivate layoutboxx
wp plugin delete layoutboxx
wp plugin list --status=active --format=table
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
