CVE-2025-2802: 
WordPress vulnerability analysis and mitigation

The LayoutBoxx plugin for WordPress has been identified with a critical vulnerability (CVE-2025-2802) discovered on May 6, 2025. The vulnerability affects all versions up to and including 0.3.1, allowing unauthenticated attackers to execute arbitrary shortcodes. This security issue was initially reported by Wordfence and has been assigned a CVSS v3.1 base score of 7.3 (High) (NVD Database).

The vulnerability is classified as CWE-94 (Improper Control of Generation of Code) and stems from inadequate input validation before executing the do_shortcode function. The CVSS vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L indicates that the vulnerability can be exploited remotely with low attack complexity, requires no privileges or user interaction, and can affect confidentiality, integrity, and availability (NVD Database).

The vulnerability allows unauthenticated attackers to execute arbitrary shortcodes, which could lead to unauthorized code execution on affected WordPress installations. This can potentially compromise the confidentiality, integrity, and availability of the affected systems, as indicated by the CVSS scoring (NVD Database).

The plugin has been temporarily closed as of April 24, 2025, pending a full security review. Users are advised to remove the plugin until a patched version becomes available (WordPress Plugin).