CVE-2025-8669

The Customify WordPress theme, active on over 50,000 sites, contains a Cross-Site Request Forgery (CSRF) vulnerability in version 0.4.11. The vulnerability resides in the `customify__reset_section AJAX handler, which lacks nonce validation and capability checks. This allows an unauthenticated attacker to force a complete reset of all Customify theme settings by tricking a site administrator into performing an action, such as clicking a malicious link [1].

To exploit this, an attacker crafts a request that leverages the unprotected AJAX endpoint. The endpoint accepts an array of setting keys and reverts or deletes them without verifying the request's origin or the user's permissions. The attacker can embed a hidden form on any site and, through social engineering, convince an administrator to submit it, triggering the reset [1]. No authentication is required from the attacker, only the presence of a logged-in administrator's session.

The impact includes the loss of all customizations made through the Customify theme—including layout, color, typography, and WooCommerce settings—reverting them to defaults. This could break the site's presentation and functionality, potentially causing significant disruption. As of the publication date, no exploit code execution of arbitrary code or data theft is reported, but the attack undermines site integrity and can be used for defacement or service degradation [1].

The vulnerability was disclosed by researcher Dmitrii Ignatyev and a proof-of-concept (PoC) has been published. Theme versions up to and including 0.4.11 are affected. At the time of publication, no official patch has been released by the theme vendor. Site owners are advised to disable the theme or implement a Web Application Firewall (WAF) rule to block requests to the customify__reset_section AJAX action until a fix is provided [1].