CVE-2025-8999

Vulnerability

Overview

The Sydney theme for WordPress (versions up to and including 2.56) contains an authorization bypass vulnerability in its module activation functionality. The activate_modules handler attached to URL parameters like activate_module_{slug} directly modifies the sydney-modules option in the wp_options table without verifying the user's capabilities. This missing capability check allows users with Subscriber-level access or higher to toggle theme modules such as block templates, custom headers, and advanced typography [1].

Exploitation

Details

The vulnerability is triggered via crafted GET requests to wp-admin/profile.php?activate_module_{slug}={0|1}. The handler lacks a nonce check and does not call current_user_can() or any role validation, so no administrative privilege is required. Additionally, because the request originates from the user's own profile page, an attacker could craft a Cross-Site Request Forgery (CSRF) link that, when visited by a logged-in subscriber, silently enables or disables modules [1].

Impact

An attacker with Subscriber-level access can arbitrarily activate or deactivate core theme features. This could disable security-relevant modules or enable functionality that weakens site defenses, or allow injection of unwanted features. The unauthorized modification may also lead to changes in the site's appearance or behavior without administrator consent [1].

Mitigation

As of publication, the vendor has not released a patched version. The vulnerability affects all active installations of the Sydney theme (over 100,000 sites). Administrators are advised to restrict access to the Profile page for low-privilege users or apply a custom capability check until an official update addressing the missing authorization is issued [1].