Privilege Escalation Vulnerability in Soledad Theme Affecting 50k+ Sites

Soledad Theme

Privilege Escalation

57K

CVSS 9.8

This blog post is about an Subscriber+ privilege escalation vulnerability in the Soledad theme. If you're a Soledad theme user, please update to at least version 8.6.9.1.

This vulnerability was discovered and reported by Patchstack Alliance community member Denver Jackson.

About Soledad theme

The Soledad theme, which has over 57,000 active sales, is a general-purpose WordPress theme sold by PenciDesign.

The security vulnerability

In versions 8.6.9 and below, the theme is vulnerable to privilege escalation, due to allowing any logged-in user to change global site settings, such as users_can_register and default_role, through the penci_update_option AJAX action. This action requires nonce validation, but does not check the user's permissions or limit what options can be changed. Additionally, the nonce in question is available to any user able to access /wp-admin. Put together, this means any Subscriber or higher user is able to change site registration settings to allow new users to be created as Administrators, leading to a full site takeover.

This vulnerability has been patched in version 8.6.9.1 and is tracked with CVE-2025-64188.

The root cause of the issue lies in the penci_update_option function:

public function penci_update_option() {
	check_ajax_referer( 'ajax-nonce', 'nonce' );
	$option_name = isset( $_POST['option_name'] ) ? sanitize_text_field( wp_unslash( $_POST['option_name'] ) ) : '';
	$option_val  = isset( $_POST['option_val'] ) ? wp_unslash( $_POST['option_val'] ) : '';

	if ( $option_name && $option_val ) {
		update_option( $option_name, $option_val );
		wp_send_json_success( array( 'message' => 'Option updated successfully.' ) );
	} else {
		wp_send_json_error( array( 'message' => 'Invalid option name.' ) );
	}
}

The patch

In version 8.6.9.1, the vulnerability is mitigated with the addition of a current_user_can permissions check, ensuring that only legitimate, privileged users are allowed to use this AJAX action.

Conclusion

Nonce validation is essential for any site functionality that can cause changes, and a lack of nonce validation can lead to other vulnerabilities, such as CSRF attacks.

However, like the WordPress developer documentation says:

Nonces should never be relied on for authentication, authorization, or access control. Protect your functions using current_user_can() and always assume that nonces can be compromised.

Even when limited to only show to the correct users, a nonce is not a substitute for proper user validation, as the risk of compromise always exists. And when shown more broadly, such as in this case, it leads to a common problem in many WordPress components, where access control is only limited by who can click the View Page Source button and find a nonce hiding in there.

Privileged functionality should always be specifically validating permissions, and cannot just assume that only the correct users will have the needed nonce.

Want to learn more about finding and fixing vulnerabilities?