CVE-2025-10690
BaseFortify
Publication date: 2025-09-19
Last updated on: 2025-09-19
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpresstheme | goza | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Goza - Nonprofit Charity WordPress Theme up to version 3.2.2, where a missing capability check in the 'beplus_import_pack_install_plugin' function allows unauthenticated attackers to upload arbitrary files. Specifically, attackers can upload zip files containing webshells disguised as plugins, enabling them to execute remote code on the affected system.
How can this vulnerability impact me? :
The vulnerability can lead to remote code execution by unauthenticated attackers, which means they can take control of the affected WordPress site. This can result in unauthorized access, data theft, site defacement, or use of the site for malicious purposes, severely compromising the security and integrity of the website.