CVE-2025-0952
Published: 14 March 2025
Summary
CVE-2025-0952 is a high-severity Missing Authorization (CWE-862) vulnerability in Themeforest (inferred from references). Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations on the 'cmsmasters_hide_admin_notice' AJAX action to prevent unauthorized modification of WordPress options by subscriber-level users.
Applies least privilege to restrict subscriber-level accounts from accessing or modifying sensitive site options via unprotected AJAX endpoints.
Restricts logical access to changes in WordPress configuration options, mitigating unauthorized updates that lead to denial of service.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing WordPress theme allows authenticated attackers to exploit missing authorization on AJAX action for unauthorized modification of stored options, enabling data manipulation and potential DoS via site errors.
NVD Description
The Eco Nature - Environment & Ecology WordPress Theme theme for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the 'cmsmasters_hide_admin_notice' AJAX action in all…
more
versions up to, and including, 2.0.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update option values to 'hide' on the WordPress site. This can be leveraged to update an option that would create an error on the site and deny service to legitimate users or be used to set some values to true such as registration.
Deeper analysisAI
CVE-2025-0952 affects the Eco Nature - Environment & Ecology WordPress Theme for WordPress, impacting all versions up to and including 2.0.4. The vulnerability stems from a missing capability check on the 'cmsmasters_hide_admin_notice' AJAX action, enabling unauthorized modification of data. This flaw, classified under CWE-862 (Missing Authorization), has a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H), highlighting high integrity and availability impacts with no confidentiality loss.
Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability remotely without user interaction. By leveraging the unprotected AJAX endpoint, they can update WordPress option values to 'hide,' potentially triggering site errors that deny service to legitimate users. Attackers could also manipulate specific options, such as enabling registration, to further disrupt or alter site functionality.
Advisories detailing the issue are available from sources including Wordfence and the theme's ThemeForest page. Published on 2025-03-14, no specific patch or mitigation details beyond updating the theme are outlined in the core description.
Details
- CWE(s)