Primary

Context

Goza Nonprofit Charity WordPress Theme Missing Authorization Vulnerability Allowing Unauthenticated Arbitrary File Upload

Vulnerability

Patched

A vulnerability exists in the Goza - Nonprofit Charity WordPress Theme, all versions through 3.2.2, allowing unauthorized arbitrary file uploads. This issue arises from a missing capability check in the 'beplus_import_pack_install_plugin' function. As a result, unauthenticated attackers can upload zip files containing web shells disguised as plugins, enabling remote code execution.

Impact

Exploitation of this vulnerability allows for arbitrary file uploads, which can be used to execute malicious code on the server.

Remediation

Users are advised to update to version 3.2.3 or a newer patched version.

Added: Sep 19, 2025, 3:21 AM

Updated: Sep 19, 2025, 3:21 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

7.4

remediation

7.7

relevance

0.6

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

7.4

remediation

7.7

relevance

0.6

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Goza Nonprofit Charity WordPress Theme Missing Authorization Vulnerability Allowing Unauthenticated Arbitrary File Upload

Vulnerability

Impact

Remediation

Affected Products

Bearsthemes Goza

Bearsthemes Alone

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating