CVE-2025-0951

Root

Cause

The vulnerability resides in the liquid_reset_wordpress_before AJAX action implemented in multiple plugins and themes by LiquidThemes. The core issue is a missing capability check, which permits any authenticated user—regardless of their role—to trigger the action. Although the developer attempted to mitigate the problem by adding a nonce, that nonce is exposed to all users who can access the WordPress dashboard, rendering it ineffective as an authorization barrier [1].

Exploitation

An attacker needs only a valid account with Subscriber-level access or higher to exploit this flaw. Since Subscriber is the default role for new users on many WordPress sites, the attack surface is broad. The attacker can craft a request to the AJAX endpoint, supplying the exposed nonce, and invoke the function that deactivates all installed plugins on the target site. No additional privileges are required beyond the authenticated session.

Impact

Successful exploitation results in the immediate deactivation of every active plugin on the WordPress site. This can cause complete loss of site functionality, remove security plugins, and potentially expose the site to other vulnerabilities or make the front-end inaccessible if the theme relies on plugin features. The attacker does not delete data, but the disruption can be severe and require manual recovery by an administrator.

Mitigation

At the time of publication (2025-08-28), a complete, secure patch has not been confirmed. The vendor added a nonce check, but as noted, that does not prevent exploitation because the nonce is accessible to all dashboard users. Users are advised to restrict Subscriber accounts to trusted individuals only and to monitor for updates from LiquidThemes or Envato that address the authorization gap properly.