Construction Light WordPress Theme Vulnerability

MEDIUM (4.3) No Patch (2 days)
csrf-bypassphppluginwordpress

Threat Intelligence

Low Risk
EPSS Score: 0.01% chance of exploitation (percentile: 2%)
🔍 Detection Tools: None available in major open-source tools
⚔️ Exploit Availability: No public exploits found

How we test →

What is it?

The Construction Light WordPress theme is a popular choice for bloggers and small businesses. However, it contains a critical vulnerability that allows authenticated users to activate arbitrary actions via an AJAX action, potentially leading to unauthorized changes or data breaches.

Am I affected?

You're affected if you use Construction Light WordPress theme. Affected versions: 1.6.8

Affected Products

DynamiApps / Construction Light

How to fix

To fix this vulnerability, update to Construction Light WordPress theme version 1.6.9 or later. You can do this by:

  1. Upgrading through the WordPress dashboard: Go to Appearance > Themes and search for "Construction Light".
  2. Using a plugin like WP Update Manager or Automator to automate the upgrade process.
  3. Manually downloading and uploading the updated theme files.

Immediate mitigations:
- Restrict network access to your WordPress installation (firewall it from the public internet)
- Audit user account activity for suspicious changes
- Monitor for unauthorized theme activation

References