Unauthorized Data Modification in ACF Flexible Layouts Manager for WordPress
CVE-2025-12937

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: Acf Flexible Layouts Manager
Vendor: CVE Published:; 18 November 2025

What is CVE-2025-12937?

The ACF Flexible Layouts Manager plugin for WordPress allows for unauthorized data modification due to a lack of capability checks in its 'acf_flm_update_template_with_pasted_layout' function. This vulnerability permits unauthenticated users to alter custom field values on individual posts and pages, potentially compromising the integrity of site content. All versions up to and including 1.1.6 are affected, making it imperative for site administrators to apply appropriate security measures.

Affected Version(s)

ACF Flexible Layouts Manager * <= 1.1.6

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/acf-flexible-l...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 18, 2025
Vulnerability Reserved
Nov 10, 2025

Credit

Ahmad Salem

JSON