CVE Catalog

CVE-2026-4804

MediumCVSS 6.4
Published: Translated: NVD NIST

Summary

The Zakra theme for WordPress up to version 4.2.0 is vulnerable to Stored Cross-Site Scripting. The lack of sanitization for post meta fields (zakra_menu_item_color, zakra_menu_item_hover_color, zakra_menu_item_active_color) via the REST API allows authenticated attackers with Contributor-level access or higher to inject arbitrary scripts that execute when users visit the affected page.

Risk Assessment

An attacker can inject arbitrary JavaScript, leading to session theft, malicious redirects, or website defacement. All sites using the vulnerable Zakra theme version are at risk.

Recommendation

Update the Zakra theme to the latest available version (above 4.2.0) immediately. If an update is not possible, temporarily disable the REST API for these meta fields or implement custom sanitization.

Original NVD description (English source)

The Zakra theme for WordPress is vulnerable to Stored Cross-Site Scripting via post meta values in all versions up to, and including, 4.2.0. This is due to the theme registering three post meta fields (zakra_menu_item_color, zakra_menu_item_hover_color, and zakra_menu_item_active_color) with 'show_in_rest' => true and 'auth_callback' => '__return_true', but without any sanitize_callback parameter in the register_post_meta() calls. While the classic editor save path applies sanitize_hex_color() sanitization, the REST API path completely bypasses this protection. The unsanitized meta values are then retrieved via get_post_meta() and concatenated directly into CSS strings that are output through wp_add_inline_style() without any escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS