Vulnerabilities and security researches forzakra zakra

Sep 15, 2025

CVE, Research URL: CVE-2025-8595
Home page URL: Security reports for Zakra
Application: Zakra
Date: Sep 15, 2025
Research Description: The Zakra WordPress theme, installed on over 50,000 websites, provides a one-click demo import feature that streamlines site setup by loading predefined layouts, widgets, and content. However, a critical vulnerability—CVE-2025-8595—allows even low-privileged Subscriber+ users to invoke the demo import process via the import_button AJAX action. By exploiting a publicly exposed nonce, attackers can import arbitrary demo content, modify site configuration, or trigger long-running operations, thereby disrupting the site or preparing for further privilege escalations.
Affected versions: Min -, max -.
Status: vulnerable