CVE-2025-0951 is a vulnerability categorized under CWE-862 (Missing Authorization) found in the LiquidThemes AI Hub - Startup & Technology WordPress theme affecting all versions. The root cause is the absence of proper capability checks on the AJAX action liquid_reset_wordpress_before, which is responsible for resetting or deactivating plugins. This flaw allows any authenticated user with at least Subscriber-level privileges to invoke this AJAX endpoint and deactivate all plugins on the WordPress site. The developer attempted to mitigate the issue by adding a nonce check; however, this nonce is exposed to all users with dashboard access, rendering the protection ineffective. The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network. The CVSS v3.1 score is 4.3 (medium), reflecting the limited impact on confidentiality and availability but a notable impact on integrity since plugins can be disabled, potentially disrupting site functionality and security controls. No patches or updates have been linked yet, and no known exploits have been observed in the wild. The vulnerability affects all versions of the theme, making it critical for site administrators to apply fixes or implement compensating controls promptly.

The primary impact of this vulnerability is the unauthorized deactivation of all plugins on affected WordPress sites, which can severely disrupt website functionality, degrade security posture, and potentially expose the site to further attacks if security plugins are disabled. While it does not directly compromise data confidentiality or availability, the loss of plugin functionality can lead to indirect availability issues (e.g., broken features or security controls). Attackers with Subscriber-level access—which is a low-privilege role—can exploit this vulnerability, increasing the risk as such accounts are easier to obtain or compromise. This can affect organizations relying on LiquidThemes AI Hub theme for their WordPress sites, including businesses, startups, and technology companies, potentially causing operational downtime and reputational damage. The vulnerability could also be leveraged as a stepping stone for more advanced attacks if critical security plugins are disabled.

To mitigate this vulnerability, organizations should first verify if an official patch or update from LiquidThemes is available and apply it immediately. In the absence of a patch, administrators should restrict Subscriber-level access and above to only trusted users, minimizing the risk of exploitation. Implementing role-based access controls (RBAC) to limit dashboard access and plugin management capabilities is critical. Additionally, custom code can be added to enforce capability checks on the liquid_reset_wordpress_before AJAX action, ensuring only users with Administrator privileges can invoke it. Monitoring and logging AJAX requests related to plugin management can help detect suspicious activity. Disabling or removing unused plugins and themes reduces the attack surface. Regular backups should be maintained to restore plugin configurations if unauthorized changes occur. Finally, educating users about the risks of low-privilege account compromise and enforcing strong authentication mechanisms can reduce exploitation likelihood.