CVE-2025-0951
BaseFortify
Publication date: 2025-08-28
Last updated on: 2025-08-29
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| liquidthemes | wordpress | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects multiple WordPress plugins and themes by LiquidThemes. It is caused by a missing capability check on the liquid_reset_wordpress_before AJAX action, allowing authenticated users with Subscriber-level access or higher to deactivate all plugins on a site. Although a nonce check was added by the developer, it is insufficient because the nonce is accessible to all users with dashboard access.
How can this vulnerability impact me? :
An attacker with Subscriber-level access or above can exploit this vulnerability to deactivate all plugins on a WordPress site. This can disrupt site functionality, potentially causing downtime or loss of features provided by the plugins, impacting site availability and user experience.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, restrict access to the WordPress dashboard to trusted users only, especially limiting Subscriber-level access. Monitor and update the affected plugins and themes from LiquidThemes to versions that properly implement capability checks. Consider disabling or removing vulnerable plugins until a secure update is available.