CVE-2025-9194

The Constructor theme for WordPress versions up to and including 1.6.5 fails to perform a capability check in the clean() function, as visible in the Ajax.php source code [1]. This function is intended for administrative actions but lacks proper authorization verification, allowing any authenticated user with at least Subscriber-level access to invoke it.

An attacker can exploit this by sending a crafted request to the theme's AJAX endpoint, triggering the clean() function without the necessary administrative privileges. The attack requires only a valid WordPress user account with Subscriber role or higher, making it accessible to a wide range of authenticated users [1].

The impact is unauthorized modification of theme data, potentially resetting customizations or causing other unintended changes. While not a full site takeover, it can degrade the site's appearance and functionality [1].

As of the advisory, users are advised to update to a patched version if available. Since the vulnerability exists in versions up to 1.6.5, users running older versions should upgrade or apply a workaround such as disabling the AJAX endpoint for non-administrator users [1].