Description
The Sydney theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'activate_modules' function in all versions up to, and including, 2.56. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate or deactivate various theme modules.
Published: 2025-09-17
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized modification of theme module settings by authenticated users with Subscriber-level access
Action: Assess Impact
AI Analysis

Impact

The vulnerability resides in the activate_modules function of the Sydney WordPress theme, where a missing capability check allows any authenticated user with at least Subscriber privileges to toggle the activation state of theme modules. This flaw creates a privilege escalation scenario that enables attackers to alter the configuration of a site without requiring higher-level administrative rights. While the impact is limited to configuration changes rather than code execution, it can disrupt user experience, hide or misconfigure features, and compromise site integrity.

Affected Systems

Sydney WordPress theme developed by athemes, all releases up to and including version 2.56. Any installation of these releases is vulnerable; no specific sub‑versions beyond 2.56 are listed.

Risk and Exploitability

The vulnerability has a moderate CVSS score of 5.3, indicating significant but not critical risk. The EPSS score is below 1 %, reflecting a very low probability of exploitation at this time. The issue is not listed in CISA KEV, further reducing its current threat level. Because the attack vector requires an existing authenticated Subscriber account—possibly through credential theft, social engineering, or legitimate content contributors—the vulnerability is more likely if an attacker gains or leverages such credentials.

Generated by OpenCVE AI on April 21, 2026 at 02:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Sydney theme to the latest version, removing the vulnerable activation_modules code
  • Revoke or limit the ability of Subscriber roles to manage theme options by adjusting WordPress role capabilities
  • Monitor changes to theme module settings and review logs for unauthorized activity

Generated by OpenCVE AI on April 21, 2026 at 02:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-29712 The Sydney theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'activate_modules' function in all versions up to, and including, 2.56. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate or deactivate various theme modules.
History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
References

Thu, 18 Sep 2025 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Athemes
Athemes sydney Toolbox
Wordpress
Wordpress wordpress
Vendors & Products Athemes
Athemes sydney Toolbox
Wordpress
Wordpress wordpress

Wed, 17 Sep 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 17 Sep 2025 11:30:00 +0000

Type Values Removed Values Added
Description The Sydney theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'activate_modules' function in all versions up to, and including, 2.56. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate or deactivate various theme modules.
Title Sydney <= 2.56 - Missing Authorization to Authenticated (Subscriber+) Limited Theme Options Update
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Athemes Sydney Toolbox
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:10:13.080Z

Reserved: 2025-08-13T18:26:47.098Z

Link: CVE-2025-8999

cve-icon Vulnrichment

Updated: 2025-09-17T13:06:58.773Z

cve-icon NVD

Status : Deferred

Published: 2025-09-17T12:15:38.760

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-8999

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T03:00:06Z

Weaknesses