CVE-2025-4606
Published: 09 July 2025
Summary
CVE-2025-4606 is a critical-severity Unverified Password Change (CWE-620) vulnerability in Themeforest (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 49.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
IA-5 requires verification of user identity and secure management of authenticators like passwords prior to changes, directly addressing the theme's failure to validate identity before password updates.
AC-3 enforces approved authorizations for access to system resources, preventing unauthenticated attackers from updating arbitrary user account details including passwords.
AC-2 mandates secure account management processes, including authorization and review of account changes, mitigating unauthorized privilege escalation via account takeover.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated remote password modification flaw in public-facing WordPress app enables exploitation for privilege escalation (T1068) and exploitation of public-facing application (T1190) leading to admin account takeover.
NVD Description
The Sala - Startup & SaaS WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.4. This is due to the theme not properly validating a user's identity prior…
more
to updating their details like password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
Deeper analysisAI
CVE-2025-4606 is a privilege escalation vulnerability affecting the Sala - Startup & SaaS WordPress Theme for WordPress in all versions up to and including 1.1.4. The issue stems from the theme failing to properly validate a user's identity before allowing updates to account details, such as passwords. This flaw, classified under CWE-620 (Unverified Privilege Delegation), carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H), indicating critical severity due to its high impact on confidentiality, integrity, and availability.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By leveraging the inadequate validation, attackers can arbitrarily change passwords for any user account, including administrators, enabling full account takeover and subsequent control over the WordPress site.
Advisories detailing the vulnerability, including potential mitigation steps, are available from sources such as the Wordfence threat intelligence page (https://www.wordfence.com/threat-intel/vulnerabilities/id/aa385a1f-1623-4f0a-bb2f-d4564b8f91bf?source=cve) and the theme's ThemeForest listing (https://themeforest.net/item/sala-startup-saas-wordpress-theme/33843955?s_rank=4), published on 2025-07-09. Security practitioners should consult these for guidance on updates or workarounds.
Details
- CWE(s)