CVE-2025-0952

Name of the Vulnerable Software and Affected Versions: The Eco Nature - Environment & Ecology WordPress Theme versions up to, and including, 2.0.4

Description: The issue allows authenticated attackers with Subscriber-level access and above to modify data, potentially leading to a denial of service. This is due to a missing capability check on the 'cmsmasters hide admin notice' AJAX action. Attackers can update option values to 'hide' on the WordPress site, creating an error or denying service to legitimate users. They can also set certain values to true, such as registration.

Recommendations: For versions up to, and including, 2.0.4, update to a version that includes a fix for the missing capability check on the 'cmsmasters hide admin notice' AJAX action to prevent unauthorized modification of data. As a temporary workaround, consider restricting access to the 'cmsmasters hide admin notice' AJAX action to prevent exploitation until a patch is available.