Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Network REST API vector, no special conditions, Contributor authentication required, scope changes to victim browser; no availability impact.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Zakra theme for WordPress is vulnerable to Stored Cross-Site Scripting via post meta values in all versions up to, and including, 4.2.0. This is due to the theme registering three post meta fields (zakra_menu_item_color, zakra_menu_item_hover_color, and zakra_menu_item_active_color) with 'show_in_rest' => true and 'auth_callback' => '__return_true', but without any sanitize_callback parameter in the register_post_meta() calls. While the classic editor save path applies sanitize_hex_color() sanitization, the REST API path completely bypasses this protection. The unsanitized meta values are then retrieved via get_post_meta() and concatenated directly into CSS strings that are output through wp_add_inline_style() without any escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page.
AnalysisAI
Stored Cross-Site Scripting in the Zakra WordPress theme (versions up to and including 4.2.0) allows authenticated Contributors to inject arbitrary JavaScript into site pages via the REST API. The vulnerability stems from a sanitization bypass: while the classic editor code path correctly applies sanitize_hex_color() to three menu-color post meta fields, the REST API registration omits any sanitize_callback, permitting unfiltered values to be written. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated account with at least Contributor-level access to the WordPress site. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 6.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) appropriately reflects the real-world risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or obtains a Contributor-level account on the target WordPress site. They issue a REST API POST request to update the zakra_menu_item_color post meta field with a value containing a malicious JavaScript payload (e.g., a CSS string break followed by a script tag or expression). … |
| Remediation | Upgrade the Zakra theme to version 4.2.1 or later, which is confirmed to contain the fix per the WordPress themes Trac changeset (https://themes.trac.wordpress.org/changeset?reponame=&new=330192%40zakra%2F4.2.1&old=297420%40zakra%2F4.2.0). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41523
GHSA-vwhw-cgc3-f4mh