Unauthorized Data Modification in Sydney Theme for WordPress
CVE-2025-8999

5.3MEDIUM

Key Information:

Vendor: WordPress
Status: Sydney
Vendor: CVE Published:; 17 September 2025

What is CVE-2025-8999?

The Sydney theme for WordPress is susceptible to unauthorized data modification due to a missing capability check in the 'activate_modules' function. This vulnerability affects all versions up to and including 2.56, allowing authenticated users with Subscriber-level access and higher to activate or deactivate theme modules without proper authorization. As a result, this could lead to significant changes in the site's functionality and potential exploitation by malicious users.

Affected Version(s)

Sydney * <= 2.56

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://themes.trac.wordpress.org/browser/sydney/2.55/inc...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 17, 2025
Vulnerability Reserved
Aug 13, 2025

Credit

Dmitrii Ignatyev