Stored Cross-Site Scripting in Zakra Theme for WordPress
CVE-2026-4804

6.4MEDIUM

Key Information:

Vendor

WordPress

Status
Vendor
CVE Published:
3 July 2026

What is CVE-2026-4804?

The Zakra theme for WordPress is vulnerable to Stored Cross-Site Scripting due to improper handling of post meta values. Specifically, this occurs through three registered post meta fields: 'zakra_menu_item_color', 'zakra_menu_item_hover_color', and 'zakra_menu_item_active_color', which are set to 'show_in_rest' => true without a sufficient sanitizer in the register_post_meta() function. Although the classic editor implements sanitization via sanitize_hex_color(), this measure is completely bypassed in the REST API, allowing attackers with Contributor-level access and above to inject malicious scripts. The unsanitized values can be retrieved and directly concatenated into CSS strings through wp_add_inline_style(), leading to potential execution of arbitrary scripts when users visit the affected pages.

Affected Version(s)

Zakra 0 <= 4.2.0

References

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Osvaldo Noe Gonzalez Del Rio (Os)
.