CVE-2025-8669: 
WordPress vulnerability analysis and mitigation

The Customify WordPress theme version 0.4.11 contains a Cross-Site Request Forgery (CSRF) vulnerability in the resetcustomizesection function due to missing or incorrect nonce validation. The vulnerability was discovered on October 3, 2025 and assigned identifier CVE-2025-8669 (NVD).

The vulnerability exists due to improper security controls in the resetcustomizesection function of the theme's customizer component. Specifically, the function lacks proper nonce validation which is required to prevent CSRF attacks. The vulnerability has been assigned a CVSS v3.1 Base Score of 4.3 MEDIUM with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N (Wordfence).

An unauthenticated attacker can potentially trick authenticated administrators into resetting theme customization settings by having them click on a specially crafted link. This could result in the loss of theme customization configurations if the victim interacts with the malicious request (NVD).

The vulnerability has been fixed in Customify version 0.4.12 with the addition of proper nonce validation. Users are advised to update to this version or later. The fix can be seen in the source code changes where nonce verification was implemented (WordPress Themes).