Skip to main content

Zakra WordPress Theme CVE-2026-4804

| EUVDEUVD-2026-41523 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-03 Wordfence GHSA-vwhw-cgc3-f4mh
6.4
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
6.4 MEDIUM

Network REST API vector, no special conditions, Contributor authentication required, scope changes to victim browser; no availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 03, 2026 - 09:16 vuln.today
CVE Published
Jul 03, 2026 - 07:53 cve.org
MEDIUM 6.4

DescriptionCVE.org

The Zakra theme for WordPress is vulnerable to Stored Cross-Site Scripting via post meta values in all versions up to, and including, 4.2.0. This is due to the theme registering three post meta fields (zakra_menu_item_color, zakra_menu_item_hover_color, and zakra_menu_item_active_color) with 'show_in_rest' => true and 'auth_callback' => '__return_true', but without any sanitize_callback parameter in the register_post_meta() calls. While the classic editor save path applies sanitize_hex_color() sanitization, the REST API path completely bypasses this protection. The unsanitized meta values are then retrieved via get_post_meta() and concatenated directly into CSS strings that are output through wp_add_inline_style() without any escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page.

AnalysisAI

Stored Cross-Site Scripting in the Zakra WordPress theme (versions up to and including 4.2.0) allows authenticated Contributors to inject arbitrary JavaScript into site pages via the REST API. The vulnerability stems from a sanitization bypass: while the classic editor code path correctly applies sanitize_hex_color() to three menu-color post meta fields, the REST API registration omits any sanitize_callback, permitting unfiltered values to be written. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as WordPress Contributor
Delivery
Send REST API POST with malicious CSS payload to zakra_menu_item_color meta field
Exploit
Payload stored without sanitization
Execution
Victim (admin or user) loads page with affected menu
Persist
Injected script executes in victim browser
Impact
Steal session token or perform unauthorized admin actions

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated account with at least Contributor-level access to the WordPress site. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) appropriately reflects the real-world risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or obtains a Contributor-level account on the target WordPress site. They issue a REST API POST request to update the zakra_menu_item_color post meta field with a value containing a malicious JavaScript payload (e.g., a CSS string break followed by a script tag or expression). …
Remediation Upgrade the Zakra theme to version 4.2.1 or later, which is confirmed to contain the fix per the WordPress themes Trac changeset (https://themes.trac.wordpress.org/changeset?reponame=&new=330192%40zakra%2F4.2.1&old=297420%40zakra%2F4.2.0). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-4804 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy