Description
The Goza - Nonprofit Charity WordPress Theme theme for WordPress is vulnerable to unauthorized arbitrary file uploads due to a missing capability check on the 'beplus_import_pack_install_plugin' function in all versions up to, and including, 3.2.2. This makes it possible for unauthenticated attackers to upload zip files containing webshells disguised as plugins from remote locations to achieve remote code execution.
Published: 2025-09-19
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution
Action: Immediate patch
AI Analysis

Impact

The Goza - Nonprofit Charity WordPress Theme includes a function that processes plugin installation requests but fails to validate user privileges. This missing capability check allows an attacker who is not logged in to upload an arbitrary zip file. If the zip contains a webshell or other executable code, the attacker can gain remote code execution on the underlying WordPress server. The primary weakness corresponds to CWE-862, an authorization failure that permits unauthorized access to privileged operations.

Affected Systems

Any installation of Bearsthemes Goza - Nonprofit Charity WordPress Theme version 3.2.2 or earlier is affected. The vulnerability is present in all releases up to and including 3.2.2 of this theme, which is distributed through ThemeForest and used by WordPress sites that import plugin packs.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical severity, while the EPSS score of less than 1% suggests a very low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack requires only unauthenticated access to the WordPress site with the vulnerable theme enabled, and the sole prerequisite is the ability to visit the import plugin endpoint, which is typically publicly reachable. Successful exploitation results in full remote code execution on the WordPress host.

Generated by OpenCVE AI on April 22, 2026 at 16:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Goza theme to the latest supported version that includes the missing capability check.
  • If an update is not immediately possible, whitelist the approval of file uploads by adding a capability check in the 'beplus_import_pack_install_plugin' function or disable the import plugin functionality until a patch is applied.
  • Deploy a security plugin or configure the web server to reject execution of uploaded files and enforce strict MIME type checks, ensuring that zip uploads cannot execute as PHP code.

Generated by OpenCVE AI on April 22, 2026 at 16:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30220 The Goza - Nonprofit Charity WordPress Theme theme for WordPress is vulnerable to unauthorized arbitrary file uploads due to a missing capability check on the 'beplus_import_pack_install_plugin' function in all versions up to, and including, 3.2.2. This makes it possible for unauthenticated attackers to upload zip files containing webshells disguised as plugins from remote locations to achieve remote code execution.
History

Fri, 19 Sep 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 19 Sep 2025 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Bearsthemes
Bearsthemes goza Nonprofit Charity Wordpress Theme
Wordpress
Wordpress wordpress
Vendors & Products Bearsthemes
Bearsthemes goza Nonprofit Charity Wordpress Theme
Wordpress
Wordpress wordpress

Fri, 19 Sep 2025 02:45:00 +0000

Type Values Removed Values Added
Description The Goza - Nonprofit Charity WordPress Theme theme for WordPress is vulnerable to unauthorized arbitrary file uploads due to a missing capability check on the 'beplus_import_pack_install_plugin' function in all versions up to, and including, 3.2.2. This makes it possible for unauthenticated attackers to upload zip files containing webshells disguised as plugins from remote locations to achieve remote code execution.
Title Goza - Nonprofit Charity WordPress Theme <= 3.2.2 - Missing Authorization to Unauthenticated Arbitrary File Upload via Plugin Installation
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Bearsthemes Goza Nonprofit Charity Wordpress Theme
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:57:05.652Z

Reserved: 2025-09-18T13:57:31.775Z

Link: CVE-2025-10690

cve-icon Vulnrichment

Updated: 2025-09-19T13:09:29.292Z

cve-icon NVD

Status : Deferred

Published: 2025-09-19T03:15:35.177

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10690

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T17:00:12Z

Weaknesses