CVE-2025-64188 (CVSS 9.8): Critical “Soledad” Theme Flaw Lets Subscribers Take Over WordPress Sites

A critical security vulnerability has been discovered in Soledad, one of the most popular general-purpose WordPress themes on the market with over 57,000 active sales. The flaw, which carries a near-maximum CVSS score of 9.8, allows low-level users to silently escalate their privileges and seize full control of a website.

The vulnerability, tracked as CVE-2025-64188, was detailed in a security advisory from Patchstack. It affects all versions of the theme 8.6.9 and below.

The core of the issue lies in a dangerous oversight within the theme’s code—specifically, how it handles global site settings. The vulnerability exists in the penci_update_option AJAX action, a function intended for site management but left dangerously exposed.

According to the advisory, “The root cause of the issue lies in the penci_update_option function” . While the function included a nonce check—a standard security token used to verify requests—it failed to verify who was making the request.

“This action requires nonce validation, but does not check the user’s permissions or limit what options can be changed,” the report explains. Crucially, the required security token is “available to any user able to access /wp-admin,” effectively handing the keys to anyone with a basic login.

By exploiting this flaw, a user with the lowest level of access—such as a Subscriber—can manipulate critical WordPress settings like users_can_register (allowing anyone to register) and default_role (setting new users as Administrators).

The advisory paints a grim picture of the exploit chain: “Put together, this means any Subscriber or higher user is able to change site registration settings to allow new users to be created as Administrators, leading to a full site takeover”.

The developers of Soledad, PenciDesign, have released a fix in version 8.6.9.1. The patch closes the loophole by implementing a strict permissions check.

“In version 8.6.9.1, the vulnerability is mitigated with the addition of a current_user_can permissions check, ensuring that only legitimate, privileged users are allowed to use this AJAX action”.

Administrators running the Soledad theme are urged to update to version 8.6.9.1 immediately to prevent unauthorized site takeovers.

Related Posts:

• ChatGPT Introduces Automatic Memory Management to Prevent “Memory Full” Errors for Paid Subscribers
• Google Gemini’s “Deep Think” is Here: Parallel Reasoning Mode for AI Ultra Subscribers
• Apple TV+ Price Jumps 30% to $12.99—Should You Switch to Annual or Apple One?
• Cloud Gaming for Everyone: Xbox Opens Its Streaming Service to Game Pass Core and Standard