- Published on
-
Sep 15, 2025
- Research Description
-
The Zakra WordPress theme, installed on over 50,000 websites, provides a one-click demo import feature that streamlines site setup by loading predefined layouts, widgets, and content. However, a critical vulnerability—CVE-2025-8595—allows even low-privileged Subscriber+ users to invoke the demo import process via the import_button AJAX action. By exploiting a publicly exposed nonce, attackers can import arbitrary demo content, modify site configuration, or trigger long-running operations, thereby disrupting the site or preparing for further privilege escalations.
- Affected versions
-
Min -, max 4.1.5.
Plugin Security Certification
Join the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Get Plugin Security Certificate
| New vulnerability |
|
Zakra
(CVE-2025-8595)
, Sep 15, 2025
|
|
PDF Embedder
, Sep 11, 2025
|
|
Pixeline's Email Protector
(CVE-2025-58982)
, Sep 11, 2025
|
|
Include Me
(CVE-2025-58983)
, Sep 11, 2025
|
|
PagSeguro / PagBank Connect
(CVE-2025-10142)
, Sep 11, 2025
|