cleantalk
Vulnerabilities and Security Researches

Zakra, CVE-2025-8595

CVE, Research URL

CVE-2025-8595

Home page URL

Security reports for Zakra

Application

Zakra

Published on
Sep 15, 2025
Research Description
The Zakra WordPress theme, installed on over 50,000 websites, provides a one-click demo import feature that streamlines site setup by loading predefined layouts, widgets, and content. However, a critical vulnerability—CVE-2025-8595—allows even low-privileged Subscriber+ users to invoke the demo import process via the import_button AJAX action. By exploiting a publicly exposed nonce, attackers can import arbitrary demo content, modify site configuration, or trigger long-running operations, thereby disrupting the site or preparing for further privilege escalations.
Affected versions
Min -, max 4.1.5.
Status
vulnerable
Previous vulnerability researches
WP Quick Post Duplicator (8c412c0666baee67ae3ee0f0eb18d8d95123aee2) , Jun 07, 2024
WP Quick Post Duplicator (CVE-2023-31214) , Jun 10, 2024
New vulnerability
Redis Object Cache , Sep 17, 2025
Zakra (CVE-2025-8595) , Sep 15, 2025
PDF Embedder , Sep 11, 2025
Pixeline's Email Protector (CVE-2025-58982) , Sep 11, 2025
Include Me (CVE-2025-58983) , Sep 11, 2025