Stored Cross-Site Scripting in Zakra Theme for WordPress
CVE-2026-4804
What is CVE-2026-4804?
The Zakra theme for WordPress is vulnerable to Stored Cross-Site Scripting due to improper handling of post meta values. Specifically, this occurs through three registered post meta fields: 'zakra_menu_item_color', 'zakra_menu_item_hover_color', and 'zakra_menu_item_active_color', which are set to 'show_in_rest' => true without a sufficient sanitizer in the register_post_meta() function. Although the classic editor implements sanitization via sanitize_hex_color(), this measure is completely bypassed in the REST API, allowing attackers with Contributor-level access and above to inject malicious scripts. The unsanitized values can be retrieved and directly concatenated into CSS strings through wp_add_inline_style(), leading to potential execution of arbitrary scripts when users visit the affected pages.
Affected Version(s)
Zakra 0 <= 4.2.0