Zakra
Monthly
Stored Cross-Site Scripting in the Zakra WordPress theme (versions up to and including 4.2.0) allows authenticated Contributors to inject arbitrary JavaScript into site pages via the REST API. The vulnerability stems from a sanitization bypass: while the classic editor code path correctly applies sanitize_hex_color() to three menu-color post meta fields, the REST API registration omits any sanitize_callback, permitting unfiltered values to be written. Those values are later concatenated unsanitized into inline CSS and rendered on every page load, triggering stored XSS against any site visitor. No active exploitation (CISA KEV) is confirmed; a vendor-released patch is available in version 4.2.1.
Stored Cross-Site Scripting in the Zakra WordPress theme (versions up to and including 4.2.0) allows authenticated Contributors to inject arbitrary JavaScript into site pages via the REST API. The vulnerability stems from a sanitization bypass: while the classic editor code path correctly applies sanitize_hex_color() to three menu-color post meta fields, the REST API registration omits any sanitize_callback, permitting unfiltered values to be written. Those values are later concatenated unsanitized into inline CSS and rendered on every page load, triggering stored XSS against any site visitor. No active exploitation (CISA KEV) is confirmed; a vendor-released patch is available in version 4.2.1.