CVE-2026-4804 PUBLISHED

Zakra <= 4.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Meta REST API

Assigner: Wordfence
Reserved: 25.03.2026 Published: 03.07.2026 Updated: 03.07.2026

The Zakra theme for WordPress is vulnerable to Stored Cross-Site Scripting via post meta values in all versions up to, and including, 4.2.0. This is due to the theme registering three post meta fields (zakra_menu_item_color, zakra_menu_item_hover_color, and zakra_menu_item_active_color) with 'show_in_rest' => true and 'auth_callback' => '__return_true', but without any sanitize_callback parameter in the register_post_meta() calls. While the classic editor save path applies sanitize_hex_color() sanitization, the REST API path completely bypasses this protection. The unsanitized meta values are then retrieved via get_post_meta() and concatenated directly into CSS strings that are output through wp_add_inline_style() without any escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
CVSS Score: 6.4

Product Status

Vendor themegrill
Product Zakra
Versions Default: unaffected
  • affected from 0 to 4.2.0 (incl.)

Credits

  • Osvaldo Noe Gonzalez Del Rio (Os) finder

References

Problem Types

  • CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE