cleantalk
Vulnerabilities and Security Researches

Zakra, CVE-2025-8595

CVE, Research URL

CVE-2025-8595

Home page URL

Security reports for Zakra

Application

Zakra

Published on
Sep 15, 2025
Research Description
The Zakra WordPress theme, installed on over 50,000 websites, provides a one-click demo import feature that streamlines site setup by loading predefined layouts, widgets, and content. However, a critical vulnerability—CVE-2025-8595—allows even low-privileged Subscriber+ users to invoke the demo import process via the import_button AJAX action. By exploiting a publicly exposed nonce, attackers can import arbitrary demo content, modify site configuration, or trigger long-running operations, thereby disrupting the site or preparing for further privilege escalations.
Affected versions
Min -, max 4.1.5.
Status
vulnerable
Previous vulnerability researches
Related Posts Lite (CVE-2025-9618) , Sep 01, 2025
Related Posts Lite (e8996797d3713734db7be60da42bc0411af0b21d) , Jun 07, 2024
New vulnerability
Redis Object Cache , Sep 17, 2025
Zakra (CVE-2025-8595) , Sep 15, 2025
PDF Embedder , Sep 11, 2025
Pixeline's Email Protector (CVE-2025-58982) , Sep 11, 2025
Include Me (CVE-2025-58983) , Sep 11, 2025