Multiple plugins and/or themes for WordPress by LiquidThemes are vulnerable to unauthorized access due to a missing capability check on the liquid_reset_wordpress_before AJAX in various versions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to deactivate all of a site's plugins. While we escalated this to Envato after not being able to establish contact, it appears the developer added a nonce check, however that is not sufficient protection as the nonce is exposed to all users with access to the dashboard.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Thu, 28 Aug 2025 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Liquidthemes
Liquidthemes ai Hub
Liquidthemes archub
Liquidthemes hub
Wordpress
Wordpress wordpress
Vendors & Products Liquidthemes
Liquidthemes ai Hub
Liquidthemes archub
Liquidthemes hub
Wordpress
Wordpress wordpress

Thu, 28 Aug 2025 04:00:00 +0000

Type Values Removed Values Added
Description Multiple plugins and/or themes for WordPress by LiquidThemes are vulnerable to unauthorized access due to a missing capability check on the liquid_reset_wordpress_before AJAX in various versions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to deactivate all of a site's plugins. While we escalated this to Envato after not being able to establish contact, it appears the developer added a nonce check, however that is not sufficient protection as the nonce is exposed to all users with access to the dashboard.
Title LiquidThemes Themes <= Various Versions - Missing Authorization to Authenticated (Subscriber+) All Plugins Deactivated
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2025-08-28T14:18:21.398Z

Reserved: 2025-01-31T19:34:34.392Z

Link: CVE-2025-0951

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-08-28T04:15:56.903

Modified: 2025-08-29T16:24:09.860

Link: CVE-2025-0951

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-08-28T07:40:51Z