cleantalk
Vulnerabilities and Security Researches

Zakra, CVE-2025-8595

CVE, Research URL

CVE-2025-8595

Home page URL

Security reports for Zakra

Application

Zakra

Published on
Sep 15, 2025
Research Description
The Zakra WordPress theme, installed on over 50,000 websites, provides a one-click demo import feature that streamlines site setup by loading predefined layouts, widgets, and content. However, a critical vulnerability—CVE-2025-8595—allows even low-privileged Subscriber+ users to invoke the demo import process via the import_button AJAX action. By exploiting a publicly exposed nonce, attackers can import arbitrary demo content, modify site configuration, or trigger long-running operations, thereby disrupting the site or preparing for further privilege escalations.
Affected versions
Min -, max 4.1.5.
Status
vulnerable
Previous vulnerability researches
Show Eventbrite Events – Event Feed for Eventbrite (89334c1462f88ee1ed9d01a4d8b56e04bb69b7f8) , Jun 07, 2024
Show Eventbrite Events – Event Feed for Eventbrite (CVE-2025-58623) , Sep 05, 2025
New vulnerability
Zakra (CVE-2025-8595) , Sep 15, 2025
PDF Embedder , Sep 11, 2025
Pixeline's Email Protector (CVE-2025-58982) , Sep 11, 2025
Include Me (CVE-2025-58983) , Sep 11, 2025
PagSeguro / PagBank Connect (CVE-2025-10142) , Sep 11, 2025