Description
The Zakra theme for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the welcome_notice_import_handler() function in all versions up to, and including, 4.1.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to import demo settings.
Published: 2025-08-06
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Modification
Action: Apply Patch
AI Analysis

Impact

The vulnerability exists in the Zakra WordPress theme and is caused by a missing capability check in the welcome_notice_import_handler() function. Because the function does not verify that the caller has the required permissions, any authenticated user with Subscriber or higher roles can trigger the demo import. The result is that an attacker can change theme configuration and site settings, effectively modifying the appearance, widgets, and other options that belong to the theme. This constitutes unauthorized data modification and can undermine site integrity and serve as a foothold for further malicious activity once the configuration is altered.

Affected Systems

The affected installations are WordPress sites that use the Zakra theme, version 4.1.5 or earlier. All releases up to 4.1.5 inclusive share the flaw; sites that have upgraded to 4.1.6 or newer are no longer vulnerable.

Risk and Exploitability

The CVSS score of 4.3 indicates medium severity, and the EPSS score of less than 1% points to a low probability of exploitation at the present time. The vulnerability is not listed in CISA's KEV catalog. Exploitation requires only that the attacker be an authenticated user with a Subscriber or higher role, so the attack vector is remote and credential‑dependent. Once such a user triggers the import, the demonstration settings overwrite existing theme options. The risk is mitigated by updating the theme or disabling the demo import capability for non‑administrators.

Generated by OpenCVE AI on April 21, 2026 at 03:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Zakra to version 4.1.6 or later, which includes the missing capability check.
  • Remove the demo import capability from all non‑administrator roles by adding a filter or custom plugin that denies this capability to Subscribers and lower users.
  • Restrict access to the demo import feature so that only administrators can use it, ensuring that non‑admin users cannot trigger the import function.

Generated by OpenCVE AI on April 21, 2026 at 03:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-23717 The Zakra theme for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the welcome_notice_import_handler() function in all versions up to, and including, 4.1.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to import demo settings.
History

Wed, 06 Aug 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 06 Aug 2025 08:00:00 +0000

Type Values Removed Values Added
First Time appeared Themegrill
Themegrill zakra
Wordpress
Wordpress wordpress
Vendors & Products Themegrill
Themegrill zakra
Wordpress
Wordpress wordpress

Wed, 06 Aug 2025 02:45:00 +0000

Type Values Removed Values Added
Description The Zakra theme for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the welcome_notice_import_handler() function in all versions up to, and including, 4.1.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to import demo settings.
Title Zakra <= 4.1.5 - Missing Authorization to Subscriber+ Demo Import
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Themegrill Zakra
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:51:32.455Z

Reserved: 2025-08-05T13:56:34.374Z

Link: CVE-2025-8595

cve-icon Vulnrichment

Updated: 2025-08-06T13:40:24.442Z

cve-icon NVD

Status : Deferred

Published: 2025-08-06T03:15:27.900

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-8595

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T03:45:27Z

Weaknesses