CVE-2026-4804 in Zakra Plugininfo

Summary

by MITRE • 07/03/2026

The Zakra theme for WordPress is vulnerable to Stored Cross-Site Scripting via post meta values in all versions up to, and including, 4.2.0. This is due to the theme registering three post meta fields (zakra_menu_item_color, zakra_menu_item_hover_color, and zakra_menu_item_active_color) with 'show_in_rest' => true and 'auth_callback' => '__return_true', but without any sanitize_callback parameter in the register_post_meta() calls. While the classic editor save path applies sanitize_hex_color() sanitization, the REST API path completely bypasses this protection. The unsanitized meta values are then retrieved via get_post_meta() and concatenated directly into CSS strings that are output through wp_add_inline_style() without any escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/03/2026

The vulnerability in the Zakra WordPress theme represents a critical stored cross-site scripting flaw that affects all versions up to and including 4.2.0. This issue stems from improper input validation and sanitization practices within the theme's REST API implementation, creating a persistent security weakness that can be exploited by authenticated attackers. The vulnerability operates through three specific post meta fields: zakra_menu_item_color, zakra_menu_item_hover_color, and zakra_menu_item_active_color, which are registered with the WordPress REST API but lack proper sanitization controls.

The technical flaw manifests in the registration of these meta fields using register_post_meta() function calls that specify 'show_in_rest' => true to expose them through the REST API endpoint, yet fail to implement the crucial 'sanitize_callback' parameter. Additionally, the 'auth_callback' => '__return_true' setting removes any authentication restrictions for accessing these fields, allowing unauthorized modifications. While the classic editor path correctly applies sanitize_hex_color() function to validate color values, the REST API pathway completely bypasses this protection mechanism, creating a dangerous discrepancy in input handling between different editing interfaces.

The operational impact of this vulnerability extends beyond simple script injection, as it enables authenticated attackers with Contributor-level access or higher to execute arbitrary JavaScript code within the context of any page containing the maliciously injected meta values. When users browse pages that contain these compromised post meta fields, the unsanitized color values are retrieved through get_post_meta() and directly concatenated into CSS strings that are subsequently output via wp_add_inline_style() without proper HTML escaping or context-specific sanitization. This creates a persistent XSS vector that can affect any user who views the compromised content, potentially leading to session hijacking, credential theft, or further exploitation of the WordPress installation.

Security professionals should note this vulnerability aligns with CWE-79 (Cross-Site Scripting) and follows patterns commonly associated with ATT&CK technique T1566.001 (Phishing via Social Media) and T1213.002 (External Remote Services). The attack vector specifically targets the WordPress REST API functionality and demonstrates how improper parameter handling in post meta registration can create persistent XSS vulnerabilities. Organizations should immediately update to patched versions of the Zakra theme or implement additional security controls including input validation at the application level, proper sanitization of all user-supplied content, and monitoring for unauthorized modifications to post meta fields through both classic and REST API interfaces.

Mitigation strategies should include immediate patching of the theme to version 4.2.1 or later where the sanitize_callback parameters have been properly implemented in the register_post_meta() calls. Additionally, administrators should consider implementing Content Security Policy headers to limit script execution capabilities, regularly audit post meta field modifications through access logs, and establish proper role-based access controls to minimize the impact of compromised accounts. The vulnerability serves as a cautionary example of how seemingly minor configuration oversights in API endpoint registration can create significant security risks within WordPress installations, particularly when dealing with user-supplied content that gets rendered in web contexts.

Responsible

Wordfence

Reservation

03/25/2026

Disclosure

07/03/2026

Moderation

accepted

CPE

ready

EPSS

0.00187

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!