Impact
The Zakra theme registers three post meta fields without sanitization. When these fields are written via the REST API, WordPress does not apply the normal sanitize_hex_color() sanitization that the classic editor path uses. The unsanitized values are later concatenated into CSS strings and rendered through wp_add_inline_style() without escaping, allowing an attacker to store arbitrary JavaScript that will execute whenever a page containing the post is loaded, thereby enabling defacement, browser hijacking, or credential theft.
Affected Systems
Any WordPress installation using the Zakra theme with a version up to and including 4.2.0 is vulnerable. The vendor for the theme is ThemeGrill.
Risk and Exploitability
The vulnerability carries a CVSS score of 6.4, indicating a moderate risk. No EPSS score is available and the issue is not listed in the CISA KEV catalog. The required attack vector is authenticated; only users with Contributor or higher privileges can inject the malicious meta values. Once injected, the payload will execute in the browsers of any visitor to the affected post, giving the attacker broad impact on confidentiality and integrity of the site’s content. Given the moderate severity and the need for authentication, sites should treat this as a significant risk and address it promptly.
OpenCVE Enrichment