Privilege Escalation Vulnerability in Soledad Theme Affecting 50k+ Sites
A privilege escalation vulnerability (CVE-2025-64188) in the Soledad WordPress theme allows any logged-in user to take over a site by modifying global settings.
A privilege escalation vulnerability has been discovered in the Soledad WordPress theme by PenciDesign, affecting over 57,000 active sales. Tracked as CVE-2025-64188, the flaw allows any logged-in user with Subscriber-level access or higher to modify global site settings, potentially leading to full site takeover.
The vulnerability resides in the `penci_update_option` AJAX action, which is used to update theme options. The function checks a nonce for validation but fails to verify the user's capabilities or restrict which options can be changed. Since the nonce is accessible to any user who can load `/wp-admin`, an attacker can send a crafted request to enable user registration and set the default role to Administrator. This allows them to create a new administrator account and gain complete control over the site.
The issue affects Soledad versions 8.6.9 and below. The patch, released in version 8.6.9.1, adds a `current_user_can()` permissions check to ensure only authorized users can execute the AJAX action. Users are strongly advised to update immediately.
This vulnerability highlights a common security pitfall in WordPress components: relying on nonces for access control. As the WordPress developer documentation states, nonces should never be used for authentication or authorization. Proper capability checks are essential for any privileged functionality.
The discovery was made by Patchstack Alliance community member Denver Jackson. Patchstack users are protected from this vulnerability. For more details, see the Patchstack blog post.