Description
The Zakra theme for WordPress is vulnerable to Stored Cross-Site Scripting via post meta values in all versions up to, and including, 4.2.0. This is due to the theme registering three post meta fields (zakra_menu_item_color, zakra_menu_item_hover_color, and zakra_menu_item_active_color) with 'show_in_rest' => true and 'auth_callback' => '__return_true', but without any sanitize_callback parameter in the register_post_meta() calls. While the classic editor save path applies sanitize_hex_color() sanitization, the REST API path completely bypasses this protection. The unsanitized meta values are then retrieved via get_post_meta() and concatenated directly into CSS strings that are output through wp_add_inline_style() without any escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page.
Published: 2026-07-03
Score: 6.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Zakra theme registers three post meta fields without sanitization. When these fields are written via the REST API, WordPress does not apply the normal sanitize_hex_color() sanitization that the classic editor path uses. The unsanitized values are later concatenated into CSS strings and rendered through wp_add_inline_style() without escaping, allowing an attacker to store arbitrary JavaScript that will execute whenever a page containing the post is loaded, thereby enabling defacement, browser hijacking, or credential theft.

Affected Systems

Any WordPress installation using the Zakra theme with a version up to and including 4.2.0 is vulnerable. The vendor for the theme is ThemeGrill.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.4, indicating a moderate risk. No EPSS score is available and the issue is not listed in the CISA KEV catalog. The required attack vector is authenticated; only users with Contributor or higher privileges can inject the malicious meta values. Once injected, the payload will execute in the browsers of any visitor to the affected post, giving the attacker broad impact on confidentiality and integrity of the site’s content. Given the moderate severity and the need for authentication, sites should treat this as a significant risk and address it promptly.

Generated by OpenCVE AI on July 4, 2026 at 00:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Zakra theme to 4.2.1 or later, which removes the vulnerable meta registrations and adds the necessary sanitization.
  • If an immediate update is not possible, disable the REST API exposure of the affected meta fields by setting 'show_in_rest' => false or by replacing the 'auth_callback' with a stricter check so that only trusted users can write these fields.
  • Limit Contributor and higher role privileges to only those users who truly need them, reducing the number of potential attackers who can store malicious content.
  • Implement a strong Content Security Policy that blocks inline scripts and restricts script sources, mitigating the impact if an injection does occur.

Generated by OpenCVE AI on July 4, 2026 at 00:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Jul 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Themegrill
Themegrill zakra
Wordpress
Wordpress wordpress
Vendors & Products Themegrill
Themegrill zakra
Wordpress
Wordpress wordpress

Fri, 03 Jul 2026 09:00:00 +0000

Type Values Removed Values Added
Description The Zakra theme for WordPress is vulnerable to Stored Cross-Site Scripting via post meta values in all versions up to, and including, 4.2.0. This is due to the theme registering three post meta fields (zakra_menu_item_color, zakra_menu_item_hover_color, and zakra_menu_item_active_color) with 'show_in_rest' => true and 'auth_callback' => '__return_true', but without any sanitize_callback parameter in the register_post_meta() calls. While the classic editor save path applies sanitize_hex_color() sanitization, the REST API path completely bypasses this protection. The unsanitized meta values are then retrieved via get_post_meta() and concatenated directly into CSS strings that are output through wp_add_inline_style() without any escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page.
Title Zakra <= 4.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Meta REST API
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}


Subscriptions

Themegrill Zakra
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-07-03T07:53:09.987Z

Reserved: 2026-03-25T11:38:39.477Z

Link: CVE-2026-4804

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-04T01:00:15Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')