CVE-2025-2802 - Vulnerability Details

- LayoutBoxx <= 0.3.1 - Unauthenticated Arbitrary Shortcode Execution

Description

The LayoutBoxx plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 0.3.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

Published: 2025-05-06

Score: 7.3 High

EPSS: 1.4% Low

KEV: No

Impact:

Action:

Analysis

Impact

The LayoutBoxx plugin for WordPress allows unauthenticated users to run any shortcode without validating the input. The plugin feeds user‑supplied content directly into WordPress’s do_shortcode function, which executes the code within the shortcode. Because shortcodes can invoke arbitrary PHP code or WordPress functions, an attacker can run malicious PHP on the server, leading to a full compromise of confidentiality, integrity, and availability.

Affected Systems

All versions of the LayoutBoxx plugin up to and including 0.3.1 are affected. The vendor is LayoutBoxx and the product is the WordPress plugin named LayoutBoxx.

Risk and Exploitability

The CVSS score of 7.3 classifies this flaw as high severity, and the EPSS score of 1.35% indicates that exploitation is technically possible but not widespread. The vulnerability is remote and unauthenticated; an attacker only needs to craft a request containing a malicious shortcode and send it to any page that processes shortcodes. Although the flaw has not yet been listed in the CISA KEV catalog, it presents a significant risk of remote code execution on any live WordPress site that has the plugin enabled.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

layoutboxx

LayoutBoxx

unaffected

Version	Status	Constraints
`0`	affected	≤ 0.3.1

No data.

Vendor	Product	Confidence	Versions
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the LayoutBoxx plugin to the latest official release (any version newer than 0.3.1).
If an update is not available, disable or completely remove the LayoutBoxx plugin from the site to eliminate the attack surface.
Harden WordPress by disabling shortcodes in unauthenticated contexts using a security plugin or custom code, and monitor server logs for unexpected shortcode execution attempts.

Generated by OpenCVE AI on April 21, 2026 at 20:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-13473	The LayoutBoxx plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 0.3.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0135.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://plugins.svn.wordpress.org/layoutboxx/trunk/layoutboxx.php
https://wordpress.org/plugins/layoutboxx/#developers
https://www.wordfence.com/threat-intel/vulnerabilities/id/fc3fcb8f-f130-4008-8f11-d98efa30f1a8?source=cve

History

Sun, 13 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00283}`	epss `{'score': 0.00295}`

Tue, 06 May 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 06 May 2025 04:30:00 +0000

Type	Values Removed	Values Added
Description		The LayoutBoxx plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 0.3.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
Title		LayoutBoxx <= 0.3.1 - Unauthenticated Arbitrary Shortcode Execution
Weaknesses		CWE-94
References		https://plugins.svn.wordpress.org/layoutboxx/trunk/layoutboxx.php https://wordpress.org/plugins/layoutboxx/#developers https://www.wordfence.com/threat-intel/vulnerabilities/id/fc3fcb8f-f130-4008-8f11-d98efa30f1a8?source=cve
Metrics		cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}`

Subscriptions

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-05-06T04:24:13.420Z

Updated: 2026-04-08T17:34:41.656Z

Reserved: 2025-03-25T21:06:58.772Z

Link: CVE-2025-2802

Vulnrichment

Updated: 2025-05-06T14:16:04.734Z

NVD

Status : Deferred

Published: 2025-05-06T05:15:49.483

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-2802

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-21T21:00:36Z

Weaknesses

CWE-94

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object