CVE-2025-8595

Vulnerability

Overview

The Zakra WordPress theme, installed on over 50,000 sites, contains a missing authorization vulnerability in its demo import functionality. The welcome_notice_import_handler() function lacks a capability check, and the associated nonce (zakra_demo_import_nonce) is exposed to all authenticated users via wp_localize_script. This allows any user with Subscriber-level access or above to invoke the demo import process through the import_button AJAX action [1].

Exploitation

Prerequisites

An attacker must be an authenticated WordPress user with at least Subscriber privileges. No additional permissions are required because the AJAX endpoint only validates the nonce, not the user's capabilities. The nonce is publicly available in the page source on the Theme Install and Profile pages, making it trivial to obtain [1].

Impact

Successful exploitation enables the attacker to import arbitrary demo content, modify site configuration, or trigger long-running import operations. This can disrupt the site's appearance and functionality, and may serve as a stepping stone for further privilege escalation or persistent compromise [1].

Mitigation

The vulnerability affects Zakra versions up to and including 4.1.5. Users should update to the latest patched version (4.1.6 or later) as soon as possible. A proof-of-concept (PoC) has been published, but no active exploits have been reported at the time of disclosure [1].