Zakra WordPress Theme Missing Authorization Vulnerability in Demo Import Function
Vulnerability
A vulnerability exists in the Zakra theme for WordPress, in all versions through 4.1.5, allowing unauthorized data modification. This issue arises from a missing capability check in the welcome_notice_import_handler() function. As a result, authenticated attackers with Subscriber-level access or higher can import demo settings, potentially leading to unwanted changes on the site.
Impact
Exploitation of this vulnerability could allow authenticated users with Subscriber-level access and above to import demo settings, leading to unauthorized modifications of the site's configuration or content.
Remediation
Users are advised to update the Zakra theme to version 4.1.6 or a newer patched version.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.