CVE-2025-9331

Vulnerability

Overview The Spacious WordPress theme, active on over 30,000 sites, contains a missing capability check in the welcome_notice_import_handler function. This vulnerability affects all versions up to and including 1.9.11 [1]. The function is intended to restrict demo data import to high-privileged users like Administrators or Editors, but the AJAX handler wp_ajax_import_button only verifies a nonce without checking the user's capabilities [1]. The nonce is exposed client-side via wp_localize_script, making it accessible to any authenticated user.

Attack

Vector An authenticated attacker with as little as Subscriber-level access can exploit this by crafting a POST request to the admin-ajax.php endpoint. Because the nonce is present in the page context for all logged-in users (including Subscribers), the AJAX action import_button will accept the request and import arbitrary demo content [1]. This bypasses the intended privilege boundaries, allowing low-level users to trigger a function meant for higher roles.

Impact

Successful exploitation enables an attacker to import demo data into the WordPress site. While the immediate impact is the addition of demo content (e.g., pages, posts, widgets, and possibly menu assignments), this could lead to further site manipulation if imported content includes malicious payloads or changes site configuration [1]. The vulnerability is classified as medium severity (CVSS 4.3) and is publicly documented with a proof of concept but no known active exploits as of the publication date.

Mitigation

The theme vendor was contacted on August 7, 2025, and a fix is expected in a future update [1]. Until then, site administrators should restrict Subscriber capabilities or disable the vulnerable theme if import functionality is not required. The CVE has been registered and publicly disclosed on September 5, 2025 [1].