CVE-2025-0951
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-28

Last updated on: 2025-08-29

Assigner: Wordfence

Description
Multiple plugins and/or themes for WordPress by LiquidThemes are vulnerable to unauthorized access due to a missing capability check on the liquid_reset_wordpress_before AJAX in various versions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to deactivate all of a site's plugins. While we escalated this to Envato after not being able to establish contact, it appears the developer added a nonce check, however that is not sufficient protection as the nonce is exposed to all users with access to the dashboard.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-28
Last Modified
2025-08-29
Generated
2026-06-16
AI Q&A
2025-08-28
EPSS Evaluated
2026-06-15
NVD
CVE-2025-0951
EUVD
EUVD-2025-25959
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
liquidthemes wordpress *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects multiple WordPress plugins and themes by LiquidThemes. It is caused by a missing capability check on the liquid_reset_wordpress_before AJAX action, allowing authenticated users with Subscriber-level access or higher to deactivate all plugins on a site. Although a nonce check was added by the developer, it is insufficient because the nonce is accessible to all users with dashboard access.

Impact Analysis

An attacker with Subscriber-level access or above can exploit this vulnerability to deactivate all plugins on a WordPress site. This can disrupt site functionality, potentially causing downtime or loss of features provided by the plugins, impacting site availability and user experience.

Mitigation Strategies

To mitigate this vulnerability, restrict access to the WordPress dashboard to trusted users only, especially limiting Subscriber-level access. Monitor and update the affected plugins and themes from LiquidThemes to versions that properly implement capability checks. Consider disabling or removing vulnerable plugins until a secure update is available.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-0951. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart