Description
The Customify theme for WordPress is vulnerable to Cross-Site Request Forgery in version 0.4.11. This is due to missing or incorrect nonce validation on the reset_customize_section function. This makes it possible for unauthenticated attackers to reset theme customization settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-10-03
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated WordPress administrators can reset Customify theme customizations via CSRF
Action: Immediate Patch
AI Analysis

Impact

Customify version 0.4.11 contains a missing or incorrect nonce check in the reset_customize_section function. The absence of proper verification allows a Cross‑Site Request Forgery attack, giving an unauthenticated attacker the ability to trigger a reset of a site’s theme customization settings. This flaw is documented as CWE-352. The attacker does not gain direct access to site data or code but can force a visual configuration change that may hide or alter critical content.

Affected Systems

The vulnerability applies to the Customify theme developed by pressmaximum, specifically version 0.4.11. Any WordPress site using this version is susceptible until it is updated to a patched release.

Risk and Exploitability

The CVSS score of 4.3 indicates medium overall risk, while the EPSS score of less than 1% suggests a low probability of exploitation with current knowledge. The flaw is not in the CISA KEV catalog. Attackers typically need to entice an authenticated administrator into executing a forged request, often via a malicious link or embedded form, but no privileged credentials are required to perform the reset.

Generated by OpenCVE AI on April 20, 2026 at 16:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Customify theme to version 0.4.12 or later, which includes proper nonce validation for theme customization resets
  • Enable a CSRF protection plugin (e.g., Wordfence, iThemes Security) to enforce nonce checks on all admin actions and block unauthenticated requests to reset_customize_section
  • Configure a web application firewall rule to detect and block HTTP requests that trigger the reset_customize_section action without a valid nonce, ensuring only legitimate admin sessions can perform the operation

Generated by OpenCVE AI on April 20, 2026 at 16:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-32258 The Customify theme for WordPress is vulnerable to Cross-Site Request Forgery in version 0.4.11. This is due to missing or incorrect nonce validation on the reset_customize_section function. This makes it possible for unauthenticated attackers to reset theme customization settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
History

Wed, 15 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
References

Mon, 06 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 03 Oct 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Oct 2025 11:30:00 +0000

Type Values Removed Values Added
Description The Customify theme for WordPress is vulnerable to Cross-Site Request Forgery in version 0.4.11. This is due to missing or incorrect nonce validation on the reset_customize_section function. This makes it possible for unauthenticated attackers to reset theme customization settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Customify <= 0.4.11 - Cross-Site Request Forgery
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-15T14:00:42.668Z

Reserved: 2025-08-06T10:37:06.076Z

Link: CVE-2025-8669

cve-icon Vulnrichment

Updated: 2025-10-03T14:04:06.509Z

cve-icon NVD

Status : Deferred

Published: 2025-10-03T12:15:44.990

Modified: 2026-04-15T15:16:41.093

Link: CVE-2025-8669

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T16:45:11Z

Weaknesses