CVE-2025-10690
📋 TL;DR
This vulnerability allows unauthenticated attackers to upload arbitrary ZIP files containing malicious plugins to WordPress sites using the Goza theme. Attackers can achieve remote code execution by disguising webshells as plugins. All WordPress sites using Goza theme versions up to 3.2.2 are affected.
💻 Affected Systems
- Goza - Nonprofit Charity WordPress Theme
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise leading to data theft, ransomware deployment, or use as part of a botnet.
Likely Case
Website defacement, data exfiltration, and installation of backdoors for persistent access.
If Mitigated
Limited impact if proper file upload restrictions and web application firewalls are in place.
🎯 Exploit Status
Exploitation requires sending crafted HTTP requests to the vulnerable endpoint. No authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 3.2.2
Vendor Advisory: https://themeforest.net/item/goza-nonprofit-charity-wordpress-theme/23781575
Restart Required: No
Instructions:
1. Update Goza theme to latest version via WordPress admin panel. 2. Verify theme version is above 3.2.2. 3. Clear WordPress cache if applicable.
🔧 Temporary Workarounds
Disable vulnerable function via plugin
allCreate a custom plugin to remove or override the vulnerable 'beplus_import_pack_install_plugin' function
Web Application Firewall rule
allBlock requests to the vulnerable endpoint using WAF rules
🧯 If You Can't Patch
- Disable or remove the Goza theme entirely and switch to a secure alternative
- Implement strict file upload restrictions at the web server level to block ZIP uploads
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Appearance > Themes for Goza theme version. If version is 3.2.2 or lower, site is vulnerable.Check Version:
wp theme list --field=name,version --format=csv | grep gozaVerify Fix Applied:
After updating, verify theme version is above 3.2.2. Test by attempting to access the vulnerable endpoint (should return 403 or 404).📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to theme-specific endpoints containing 'beplus_import_pack_install_plugin'
- Unusual file uploads to wp-content/uploads/ directory
- ZIP file uploads from unauthenticated users
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=beplus_import_pack_install_plugin
- Unusual outbound connections from web server after file upload
SIEM Query:
source="web_server" AND (uri_path="*admin-ajax.php*" AND post_data="*beplus_import_pack_install_plugin*")