PT-2026-55517 · Themegrill · Zakra
Published
2026-07-03
·
Updated
2026-07-03
·
CVE-2026-4804
CVSS v3.1
6.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N |
The Zakra theme for WordPress is vulnerable to Stored Cross-Site Scripting via post meta values in all versions up to, and including, 4.2.0. This is due to the theme registering three post meta fields (zakra menu item color, zakra menu item hover color, and zakra menu item active color) with 'show in rest' => true and 'auth callback' => ' return true', but without any sanitize callback parameter in the register post meta() calls. While the classic editor save path applies sanitize hex color() sanitization, the REST API path completely bypasses this protection. The unsanitized meta values are then retrieved via get post meta() and concatenated directly into CSS strings that are output through wp add inline style() without any escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Zakra