Description
Multiple plugins and/or themes for WordPress by LiquidThemes are vulnerable to unauthorized access due to a missing capability check on the liquid_reset_wordpress_before AJAX in various versions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to deactivate all of a site's plugins. While we escalated this to Envato after not being able to establish contact, it appears the developer added a nonce check, however that is not sufficient protection as the nonce is exposed to all users with access to the dashboard.
Published: 2025-08-28
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized deactivation of all plugins via an authenticated AJAX endpoint
Action: Apply Patch
AI Analysis

Impact

The vulnerability originates from a missing capability check in the liquid_reset_wordpress_before AJAX handler used by several LiquidThemes WordPress themes. As a result, any authenticated user with Subscriber role or higher can trigger this endpoint and deactivate every plugin on the site. The flaw falls under CWE‑862 (Missing Authorization) and can cause a denial of service by stripping core functionality, potentially leading to site downtime or degraded user experience.

Affected Systems

The flaw affects the AI Hub, ArcHub and Hub WordPress themes released by LiquidThemes. All supported versions prior to the recent update that added a nonce check are vulnerable. The specific version range is not enumerated in the advisory.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The attack requires only authenticated access with Subscriber-level permissions and does not require elevated administrative rights, meaning a wide range of users could abuse it if the theme remains outdated. Though listed as not in the CISA KEV catalog, the potential for site-wide disruption warrants prompt remediation.

Generated by OpenCVE AI on April 28, 2026 at 10:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update all LiquidThemes AI Hub, ArcHub, and Hub themes to the latest releases where the nonce check has been added to the liquid_reset_wordpress_before handler.
  • Verify that the nonce is not exposed publicly on the dashboard and that the capability check limits access to the required roles; if uncertain, reconfigure the theme’s AJAX endpoint to restrict access to administrators only.
  • If an immediate theme update is not feasible, temporarily disable the liquid_reset_wordpress_before AJAX route by adding a custom function to your theme’s functions.php or a site‑wide plugin that removes or blocks this action for non‑administrator users.

Generated by OpenCVE AI on April 28, 2026 at 10:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-25959 Multiple plugins and/or themes for WordPress by LiquidThemes are vulnerable to unauthorized access due to a missing capability check on the liquid_reset_wordpress_before AJAX in various versions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to deactivate all of a site's plugins. While we escalated this to Envato after not being able to establish contact, it appears the developer added a nonce check, however that is not sufficient protection as the nonce is exposed to all users with access to the dashboard.
History

Fri, 27 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 Aug 2025 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Liquidthemes
Liquidthemes ai Hub
Liquidthemes archub
Liquidthemes hub
Wordpress
Wordpress wordpress
Vendors & Products Liquidthemes
Liquidthemes ai Hub
Liquidthemes archub
Liquidthemes hub
Wordpress
Wordpress wordpress

Thu, 28 Aug 2025 04:00:00 +0000

Type Values Removed Values Added
Description Multiple plugins and/or themes for WordPress by LiquidThemes are vulnerable to unauthorized access due to a missing capability check on the liquid_reset_wordpress_before AJAX in various versions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to deactivate all of a site's plugins. While we escalated this to Envato after not being able to establish contact, it appears the developer added a nonce check, however that is not sufficient protection as the nonce is exposed to all users with access to the dashboard.
Title LiquidThemes Themes <= Various Versions - Missing Authorization to Authenticated (Subscriber+) All Plugins Deactivated
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Liquidthemes Ai Hub Archub Hub
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:32:21.073Z

Reserved: 2025-01-31T19:34:34.392Z

Link: CVE-2025-0951

cve-icon Vulnrichment

Updated: 2025-08-28T14:18:19.009Z

cve-icon NVD

Status : Deferred

Published: 2025-08-28T04:15:56.903

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-0951

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T11:00:14Z

Weaknesses