CVE-2025-0951 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the LiquidThemes AI Hub - Startup & Technology WordPress theme. The core issue arises from a missing capability check on the AJAX action 'liquid_reset_wordpress_before' across various versions of this theme. This flaw allows authenticated users with Subscriber-level privileges or higher to perform unauthorized actions, specifically the deactivation of all plugins on a WordPress site. Although the developer attempted to mitigate the issue by adding a nonce check, this measure is insufficient because the nonce is accessible to all users with dashboard access, including low-privileged roles. Consequently, an attacker who has any authenticated access to the WordPress dashboard can exploit this vulnerability without requiring elevated privileges or user interaction. The CVSS v3.1 score is 4.3 (medium severity), reflecting that the attack vector is network-based, requires low privileges, no user interaction, and impacts integrity by allowing unauthorized plugin deactivation. The vulnerability does not affect confidentiality or availability directly but can indirectly affect site functionality and security posture by disabling security or functionality plugins. No known exploits are currently reported in the wild, and no official patches have been linked yet. This vulnerability is significant because WordPress is widely used, and plugins are critical for site functionality and security. Unauthorized deactivation of plugins can lead to loss of security controls, exposure to other vulnerabilities, or site downtime.

For European organizations, this vulnerability poses a risk primarily to websites using the affected LiquidThemes AI Hub WordPress theme. The ability for low-privileged authenticated users to deactivate all plugins can lead to significant security degradation, including disabling firewalls, malware scanners, or backup plugins. This can expose sites to further attacks, data breaches, or service interruptions. Organizations relying on WordPress for customer-facing websites, e-commerce, or internal portals may experience operational disruptions and reputational damage. Given the GDPR environment, any resulting data breach or service unavailability could lead to regulatory scrutiny and fines. The impact is heightened for organizations with multiple users having dashboard access, as the attack surface increases. Additionally, attackers who gain subscriber-level access through phishing or credential stuffing could leverage this vulnerability to escalate their impact without needing administrator credentials.

To mitigate this vulnerability, European organizations should: 1) Immediately audit WordPress sites using the LiquidThemes AI Hub theme to identify affected instances. 2) Restrict dashboard access strictly to trusted users and minimize the number of accounts with Subscriber or higher privileges. 3) Implement strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of credential compromise. 4) Monitor and log plugin activation/deactivation events to detect suspicious activity promptly. 5) Consider temporarily disabling or replacing the affected theme until a secure patch is released. 6) If possible, implement custom capability checks or filters to enforce authorization on the 'liquid_reset_wordpress_before' AJAX action. 7) Keep all WordPress core, themes, and plugins updated and subscribe to security advisories from LiquidThemes and WordPress security communities. 8) Employ web application firewalls (WAFs) that can detect and block unauthorized AJAX requests targeting this vulnerability. 9) Educate users with dashboard access about phishing and credential hygiene to prevent unauthorized access.