Skip to main content

Zakra

1 CVEs product

Monthly

CVE-2026-4804 MEDIUM This Month

Stored Cross-Site Scripting in the Zakra WordPress theme (versions up to and including 4.2.0) allows authenticated Contributors to inject arbitrary JavaScript into site pages via the REST API. The vulnerability stems from a sanitization bypass: while the classic editor code path correctly applies sanitize_hex_color() to three menu-color post meta fields, the REST API registration omits any sanitize_callback, permitting unfiltered values to be written. Those values are later concatenated unsanitized into inline CSS and rendered on every page load, triggering stored XSS against any site visitor. No active exploitation (CISA KEV) is confirmed; a vendor-released patch is available in version 4.2.1.

WordPress XSS Zakra
NVD
CVSS 3.1
6.4
EPSS
0.2%
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Zakra WordPress theme (versions up to and including 4.2.0) allows authenticated Contributors to inject arbitrary JavaScript into site pages via the REST API. The vulnerability stems from a sanitization bypass: while the classic editor code path correctly applies sanitize_hex_color() to three menu-color post meta fields, the REST API registration omits any sanitize_callback, permitting unfiltered values to be written. Those values are later concatenated unsanitized into inline CSS and rendered on every page load, triggering stored XSS against any site visitor. No active exploitation (CISA KEV) is confirmed; a vendor-released patch is available in version 4.2.1.

WordPress XSS Zakra
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy