CVE-2025-8595 MEDIUM

CVE-2025-8595: Zakra <= 4.1.5 - Missing Authorization to Subscriber+ Demo Import

Vendor Themegrill

Product Zakra

Weakness CWE-862 · Missing authorization

Published August 6, 2025

Last update April 8, 2026

View on NVD All CVEs

CVSS base score

4.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality None

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Zakra theme for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the welcome_notice_import_handler() function in all versions up to, and including, 4.1.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to import demo settings.

Explanation of Vulnerability in Simple Terms

02Summary

Zakra theme versions up to 4.1.5 lack proper authorization checks on certain administrative functions. A logged-in user with low privileges can modify site settings or data they should not have access to. The vulnerability requires an active user account but no special interaction from the victim.

What an attacker can do

03Attacker Capabilities

Modify site settings or data without proper permission checks.

Potential impact on your site

04Site Impact

Unauthorized users can alter site configuration or content, potentially defacing or misconfiguring your site.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege user account on the site.

Key dates

06Disclosure timeline

August 6, 2025 CVE published

April 8, 2026 Record updated

External resources

07References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-8595 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/862.html

Related vulnerabilities