CVE-2025-9202

The ColorMag theme for WordPress (versions up to and including 4.0.19) contains a missing capability check in the welcome_notice_import_handler() function, which handles the AJAX action for importing demo content. The theme exposes the required nonce to all authenticated users via wp_localize_script, but fails to enforce any permission checks before executing the import routine [1].

This vulnerability can be exploited by any authenticated attacker with Subscriber-level access or higher. The AJAX action import_button is registered without a current_user_can() check, only verifying the nonce via check_ajax_referer(). Since the nonce is accessible to low-privileged users, an attacker can craft a malicious AJAX request to trigger the import handler [1].

Successful exploitation allows the attacker to install the ThemeGrill Demo Importer plugin without authorization. While this may not directly lead to privilege escalation, it enables the installation of a plugin that could be used for further malicious activities, depending on the plugin's capabilities [1].

As of the publication date, no patched version of the ColorMag theme has been released. Users are advised to restrict access to trusted users or apply a custom security fix until an official update is available [1].