CVE-2025-2802 in LayoutBoxx Plugininfo

Summary

by MITRE • 05/06/2025

The LayoutBoxx plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 0.3.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 06/20/2026

The LayoutBoxx plugin for WordPress presents a critical security vulnerability that enables arbitrary shortcode execution, affecting all versions up to and including 0.3.1. This vulnerability stems from insufficient input validation within the plugin's shortcode processing mechanism, creating a pathway for malicious actors to exploit the system without authentication requirements. The flaw exists in the plugin's handling of user-supplied data that gets processed through the do_shortcode function, which executes WordPress shortcodes without adequate sanitization or validation checks. This represents a fundamental security oversight that undermines the integrity of WordPress installations using the affected plugin.

The technical nature of this vulnerability aligns with CWE-79, which describes improper neutralization of input during web output, and specifically relates to the improper validation of user input before executing dynamic code operations. Attackers can leverage this weakness by crafting malicious requests that contain specially formatted shortcode parameters, which are then processed by the vulnerable plugin without proper validation. The do_shortcode function serves as the primary execution point where the vulnerability manifests, as it directly interprets and executes shortcode content without sufficient security controls to prevent unauthorized code execution.

The operational impact of this vulnerability extends beyond simple code injection, as it allows unauthenticated attackers to execute arbitrary shortcodes with the privileges of the WordPress installation. This could enable attackers to perform various malicious activities including data exfiltration, modification of website content, installation of backdoors, or exploitation of other vulnerabilities within the WordPress ecosystem. The vulnerability affects any WordPress site running the LayoutBoxx plugin, making it particularly dangerous as it can be exploited by anyone with access to the website's public interface without requiring valid user credentials or administrative privileges.

Security mitigation strategies should focus on immediate plugin updates to versions that address the validation flaw, as well as implementing additional protective measures such as input filtering at the web application firewall level and monitoring for suspicious shortcode execution patterns. Organizations should also consider implementing network-level restrictions to limit access to plugin endpoints and conduct thorough security audits of all installed WordPress plugins to identify similar validation weaknesses. The vulnerability demonstrates the importance of proper input validation and the principle of least privilege in web application security, as highlighted by ATT&CK technique T1059.008 for execution through command and scripting interpreter, where attackers can leverage legitimate system functions to execute malicious code. Regular security assessments and keeping all WordPress components updated remain essential practices to prevent exploitation of such vulnerabilities in the broader WordPress ecosystem.

Reservation

03/25/2025

Disclosure

05/06/2025

Moderation

accepted

CPE

ready

EPSS

0.00403

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!