CVE-2025-0952
Published: 14 March 2025
Description
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Security Summary
CVE-2025-0952 affects the Eco Nature - Environment & Ecology WordPress Theme for WordPress, impacting all versions up to and including 2.0.4. The vulnerability stems from a missing capability check on the 'cmsmasters_hide_admin_notice' AJAX action, enabling unauthorized modification of data. This flaw, classified under CWE-862 (Missing Authorization), has a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H), highlighting high integrity and availability impacts with no confidentiality loss.
Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability remotely without user interaction. By leveraging the unprotected AJAX endpoint, they can update WordPress option values to 'hide,' potentially triggering site errors that deny service to legitimate users. Attackers could also manipulate specific options, such as enabling registration, to further disrupt or alter site functionality.
Advisories detailing the issue are available from sources including Wordfence and the theme's ThemeForest page. Published on 2025-03-14, no specific patch or mitigation details beyond updating the theme are outlined in the core description.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Vulnerability in public-facing WordPress theme allows authenticated attackers to exploit missing authorization on AJAX action for unauthorized modification of stored options, enabling data manipulation and potential DoS via site errors.