CVE-2025-0951
LiquidThemes Themes <= Various Versions - Missing Authorization to Authenticated (Subscriber+) All Plugins Deactivated
CVSS Score
4.3
EPSS Score
0.0%
EPSS Percentile
0th
Multiple plugins and/or themes for WordPress by LiquidThemes are vulnerable to unauthorized access due to a missing capability check on the liquid_reset_wordpress_before AJAX in various versions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to deactivate all of a site's plugins. While we escalated this to Envato after not being able to establish contact, it appears the developer added a nonce check, however that is not sufficient protection as the nonce is exposed to all users with access to the dashboard.
| CWE | CWE-862 |
| Vendor | liquidthemes |
| Product | ai hub - startup & technology wordpress theme |
| Published | Aug 28, 2025 |
| Last Updated | Apr 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for liquidthemes ai hub - startup & technology wordpress theme
Be the first to know when new medium vulnerabilities affecting liquidthemes ai hub - startup & technology wordpress theme are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
LiquidThemes / AI Hub - Startup & Technology WordPress Theme
0
LiquidThemes / Hub - Responsive Multi-Purpose WordPress Theme
0
LiquidThemes / ArcHub - Architecture and Interior Design WordPress Theme
0
References
Credits
Lucio Sรก