{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-8999", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-08-13T18:26:47.098Z", "datePublished": "2025-09-17T11:25:55.832Z", "dateUpdated": "2026-04-08T17:10:13.080Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:10:13.080Z"}, "affected": [{"vendor": "athemes", "product": "Sydney", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.56", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Sydney theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'activate_modules' function in all versions up to, and including, 2.56. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate or deactivate various theme modules."}], "title": "Sydney <= 2.56 - Missing Authorization to Authenticated (Subscriber+) Limited Theme Options Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/965582c6-a52e-4f88-81ef-b5dd761a0c23?source=cve"}, {"url": "https://themes.trac.wordpress.org/browser/sydney/2.55/inc/classes/class-sydney-modules.php#L166"}, {"url": "https://themes.trac.wordpress.org/browser/sydney/2.55/inc/modules/class-sydney-modules.php#L72"}, {"url": "https://themes.trac.wordpress.org/changeset/288374/"}, {"url": "https://research.cleantalk.org/cve-2025-8999/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "timeline": [{"time": "2025-08-15T15:11:05.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-09-16T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-17T13:06:54.201065Z", "id": "CVE-2025-8999", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-17T13:07:02.567Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-8999", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-17T13:06:54.201065Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-17T13:06:58.773Z"}}], "cna": {"title": "Sydney <= 2.56 - Missing Authorization to Authenticated (Subscriber+) Limited Theme Options Update", "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "athemes", "product": "Sydney", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.56"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-08-15T15:11:05.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-09-16T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/965582c6-a52e-4f88-81ef-b5dd761a0c23?source=cve"}, {"url": "https://themes.trac.wordpress.org/browser/sydney/2.55/inc/classes/class-sydney-modules.php#L166"}, {"url": "https://themes.trac.wordpress.org/browser/sydney/2.55/inc/modules/class-sydney-modules.php#L72"}, {"url": "https://themes.trac.wordpress.org/changeset/288374/"}, {"url": "https://research.cleantalk.org/cve-2025-8999/"}], "descriptions": [{"lang": "en", "value": "The Sydney theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'activate_modules' function in all versions up to, and including, 2.56. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate or deactivate various theme modules."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:10:13.080Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8999", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:10:13.080Z", "dateReserved": "2025-08-13T18:26:47.098Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-09-17T11:25:55.832Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Sydney theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'activate_modules' function in all versions up to, and including, 2.56. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate or deactivate various theme modules."}], "id": "CVE-2025-8999", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-09-17T12:15:38.760", "references": [{"source": "security@wordfence.com", "url": "https://research.cleantalk.org/cve-2025-8999/"}, {"source": "security@wordfence.com", "url": "https://themes.trac.wordpress.org/browser/sydney/2.55/inc/classes/class-sydney-modules.php#L166"}, {"source": "security@wordfence.com", "url": "https://themes.trac.wordpress.org/browser/sydney/2.55/inc/modules/class-sydney-modules.php#L72"}, {"source": "security@wordfence.com", "url": "https://themes.trac.wordpress.org/changeset/288374/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/965582c6-a52e-4f88-81ef-b5dd761a0c23?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T02:51:55.677729+00:00", "value": {"mitigation_remediation": ["Upgrade the Sydney theme to the latest version, removing the vulnerable activation_modules code", "Revoke or limit the ability of Subscriber roles to manage theme options by adjusting WordPress role capabilities", "Monitor changes to theme module settings and review logs for unauthorized activity"], "summary": {"action": "Assess Impact", "impact": "Unauthorized modification of theme module settings by authenticated users with Subscriber-level access"}, "threat_synthesis": {"affected_systems": "Sydney WordPress theme developed by athemes, all releases up to and including version\u202f2.56. Any installation of these releases is vulnerable; no specific sub\u2011versions beyond 2.56 are listed.", "description_and_impact": "The vulnerability resides in the activate_modules function of the Sydney WordPress theme, where a missing capability check allows any authenticated user with at least Subscriber privileges to toggle the activation state of theme modules. This flaw creates a privilege escalation scenario that enables attackers to alter the configuration of a site without requiring higher-level administrative rights. While the impact is limited to configuration changes rather than code execution, it can disrupt user experience, hide or misconfigure features, and compromise site integrity.", "risk_and_exploitability": "The vulnerability has a moderate CVSS score of 5.3, indicating significant but not critical risk. The EPSS score is below 1\u202f%, reflecting a very low probability of exploitation at this time. The issue is not listed in CISA KEV, further reducing its current threat level. Because the attack vector requires an existing authenticated Subscriber account\u2014possibly through credential theft, social engineering, or legitimate content contributors\u2014the vulnerability is more likely if an attacker gains or leverages such credentials."}}}}, "created": "2025-09-18T12:41:52.198809+00:00", "updated": "2026-04-21T03:00:06.375961+00:00", "vendors": ["athemes", "athemes$PRODUCT$sydney_toolbox", "wordpress", "wordpress$PRODUCT$wordpress"]}