cleantalk
Vulnerabilities and Security Researches

Zakra, CVE-2025-8595

CVE, Research URL

CVE-2025-8595

Home page URL

Security reports for Zakra

Application

Zakra

Published on
Sep 15, 2025
Research Description
The Zakra WordPress theme, installed on over 50,000 websites, provides a one-click demo import feature that streamlines site setup by loading predefined layouts, widgets, and content. However, a critical vulnerability—CVE-2025-8595—allows even low-privileged Subscriber+ users to invoke the demo import process via the import_button AJAX action. By exploiting a publicly exposed nonce, attackers can import arbitrary demo content, modify site configuration, or trigger long-running operations, thereby disrupting the site or preparing for further privilege escalations.
Affected versions
Min -, max 4.1.5.
Status
vulnerable
Previous vulnerability researches
Smart Manager – WooCommerce Bulk Edit Products, Orders, Coupons, Any WordPress Post Type (Advanced) (CVE-2025-22710) , Jan 19, 2025
Smart Manager – WooCommerce Bulk Edit Products, Orders, Coupons, Any WordPress Post Type (Advanced) (CVE-2024-49687) , Oct 24, 2024
Smart Manager – WooCommerce Bulk Edit Products, Orders, Coupons, Any WordPress Post Type (Advanced) (CVE-2024-0566) , Jun 07, 2024
Smart Manager – WooCommerce Bulk Edit Products, Orders, Coupons, Any WordPress Post Type (Advanced) (54ee094a291c85ad46e95bf98a3a744d98443fda) , Jun 07, 2024
New vulnerability
Zakra (CVE-2025-8595) , Sep 15, 2025
PDF Embedder , Sep 11, 2025
Pixeline's Email Protector (CVE-2025-58982) , Sep 11, 2025
Include Me (CVE-2025-58983) , Sep 11, 2025
PagSeguro / PagBank Connect (CVE-2025-10142) , Sep 11, 2025