{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-0952", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-01-31T19:44:01.188Z", "datePublished": "2025-03-14T05:24:03.281Z", "dateUpdated": "2026-04-08T17:18:14.310Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:18:14.310Z"}, "affected": [{"vendor": "cmsmasters", "product": "Eco Nature - Environment & Ecology WordPress Theme", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.0.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Eco Nature - Environment & Ecology WordPress Theme theme for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the 'cmsmasters_hide_admin_notice' AJAX action in all versions up to, and including, 2.0.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update option values to 'hide' on the WordPress site. This can be leveraged to update an option that would create an error on the site and deny service to legitimate users or be used to set some values to true such as registration."}], "title": "Eco Nature - Environment & Ecology WordPress Theme <= 2.0.4 - Missing Authorization to Authenticated (Subscriber+) Limited Options Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ba708a4f-d987-4d63-a218-2ed1c6daa010?source=cve"}, {"url": "https://themeforest.net/item/eco-nature-environment-ecology-wordpress-theme/8497776"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Lucio S\u00e1"}], "timeline": [{"time": "2025-03-13T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-14T13:31:35.128526Z", "id": "CVE-2025-0952", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-14T13:33:18.039Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-0952", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-14T13:31:35.128526Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-14T13:33:12.222Z"}}], "cna": {"title": "Eco Nature - Environment & Ecology WordPress Theme <= 2.0.4 - Missing Authorization to Authenticated (Subscriber+) Limited Options Update", "credits": [{"lang": "en", "type": "finder", "value": "Lucio S\u00e1"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"}}], "affected": [{"vendor": "cmsmasters", "product": "Eco Nature - Environment & Ecology WordPress Theme", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.0.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-03-13T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ba708a4f-d987-4d63-a218-2ed1c6daa010?source=cve"}, {"url": "https://themeforest.net/item/eco-nature-environment-ecology-wordpress-theme/8497776"}], "descriptions": [{"lang": "en", "value": "The Eco Nature - Environment & Ecology WordPress Theme theme for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the 'cmsmasters_hide_admin_notice' AJAX action in all versions up to, and including, 2.0.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update option values to 'hide' on the WordPress site. This can be leveraged to update an option that would create an error on the site and deny service to legitimate users or be used to set some values to true such as registration."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:18:14.310Z"}}}, "cveMetadata": {"cveId": "CVE-2025-0952", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:18:14.310Z", "dateReserved": "2025-01-31T19:44:01.188Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-03-14T05:24:03.281Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Eco Nature - Environment & Ecology WordPress Theme theme for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the 'cmsmasters_hide_admin_notice' AJAX action in all versions up to, and including, 2.0.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update option values to 'hide' on the WordPress site. This can be leveraged to update an option that would create an error on the site and deny service to legitimate users or be used to set some values to true such as registration."}, {"lang": "es", "value": "El tema Eco Nature - Environment &amp; Ecology WordPress Theme para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos, lo que puede provocar una denegaci\u00f3n de servicio debido a la falta de comprobaci\u00f3n de capacidad en la acci\u00f3n AJAX \"cmsmasters_hide_admin_notice\" en todas las versiones hasta la 2.0.4 incluida. Esto permite a atacantes autenticados, con acceso de suscriptor o superior, actualizar los valores de las opciones a \"ocultar\" en el sitio de WordPress. Esto puede aprovecharse para actualizar una opci\u00f3n que genere un error en el sitio y deniegue el servicio a usuarios leg\u00edtimos, o para establecer algunos valores como \"verdaderos\", como el registro."}], "id": "CVE-2025-0952", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-03-14T06:15:24.683", "references": [{"source": "security@wordfence.com", "url": "https://themeforest.net/item/eco-nature-environment-ecology-wordpress-theme/8497776"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ba708a4f-d987-4d63-a218-2ed1c6daa010?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T01:55:11.340639+00:00", "value": {"mitigation_remediation": ["Update the Eco Nature theme to the most recent release that includes the missing capability check.", "If an upgrade is not possible immediately, edit the theme\u2019s functions file to add a capability verification before processing the 'cmsmasters_hide_admin_notice' Ajax request, or delete the unregister action entirely.", "Reconfigure the Subscriber role to remove or restrict capabilities that allow modification of theme options, using a role\u2011management plugin."], "summary": {"action": "Patch Now", "impact": "Unauthorized data modification leading to potential denial of service"}, "threat_synthesis": {"affected_systems": "Any WordPress installation using cmsmasters\u2019 Eco Nature \u2013 Environment & Ecology WordPress Theme version 2.0.4 or earlier is affected. The issue exists in all released builds up to and including that version. Sites that are still running these releases with at least a Subscriber\u2011level user account are at risk.", "description_and_impact": "The Eco Nature WordPress Theme is vulnerable because the Ajax handler 'cmsmasters_hide_admin_notice' lacks a capability check. An authenticated user with the Subscriber role or higher can invoke this handler to change theme options. The attacker can set values that cause fatal errors or enable unwanted features, resulting in a denial of service for legitimate users. The vulnerability does not expose sensitive data but allows modification of site configuration that can disrupt normal operation.", "risk_and_exploitability": "The CVSS score of 8.1 categorizes the flaw as high severity, and the EPSS score of less than 1% suggests that exploitation is currently unlikely. The attack requires that the attacker already has authenticated access to the site; no elevated server privileges are needed. Because the flaw is not listed in the CISA KEV catalog and no public exploits are confirmed, the threat is primarily to availability rather than confidentiality or integrity. However, if a malicious user gains the necessary role, they could disrupt the site or enable unwanted registration settings."}}}}, "created": "2026-04-22T02:00:05.039410+00:00", "updated": "2026-04-22T02:00:05.039420+00:00", "vendors": []}