Search criteria
4 vulnerabilities found for Goza - Nonprofit Charity WordPress Theme by Bearsthemes
CVE-2025-10690 (GCVE-0-2025-10690)
Vulnerability from cvelistv5 – Published: 2025-09-19 02:27 – Updated: 2025-09-19 13:09
VLAI?
Title
Goza - Nonprofit Charity WordPress Theme <= 3.2.2 - Missing Authorization to Unauthenticated Arbitrary File Upload via Plugin Installation
Summary
The Goza - Nonprofit Charity WordPress Theme theme for WordPress is vulnerable to unauthorized arbitrary file uploads due to a missing capability check on the 'beplus_import_pack_install_plugin' function in all versions up to, and including, 3.2.2. This makes it possible for unauthenticated attackers to upload zip files containing webshells disguised as plugins from remote locations to achieve remote code execution.
Severity ?
9.8 (Critical)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Bearsthemes | Goza - Nonprofit Charity WordPress Theme |
Affected:
* , ≤ 3.2.2
(semver)
|
Credits
grov x
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10690",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-19T13:09:25.232160Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-19T13:09:32.889Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Goza - Nonprofit Charity WordPress Theme",
"vendor": "Bearsthemes",
"versions": [
{
"lessThanOrEqual": "3.2.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "grov x"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Goza - Nonprofit Charity WordPress Theme theme for WordPress is vulnerable to unauthorized arbitrary file uploads due to a missing capability check on the \u0027beplus_import_pack_install_plugin\u0027 function in all versions up to, and including, 3.2.2. This makes it possible for unauthenticated attackers to upload zip files containing webshells disguised as plugins from remote locations to achieve remote code execution."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-19T02:27:00.685Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/628bfa19-2ffa-426b-8b88-22a0c4d0ba92?source=cve"
},
{
"url": "https://themeforest.net/item/goza-nonprofit-charity-wordpress-theme/23781575"
},
{
"url": "https://www.cve.org/CVERecord?id=CVE-2025-5394"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-08T19:58:15.000+00:00",
"value": "Disclosed"
}
],
"title": "Goza - Nonprofit Charity WordPress Theme \u003c= 3.2.2 - Missing Authorization to Unauthenticated Arbitrary File Upload via Plugin Installation"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-10690",
"datePublished": "2025-09-19T02:27:00.685Z",
"dateReserved": "2025-09-18T13:57:31.775Z",
"dateUpdated": "2025-09-19T13:09:32.889Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-10134 (GCVE-0-2025-10134)
Vulnerability from cvelistv5 – Published: 2025-09-09 08:22 – Updated: 2025-09-09 19:27
VLAI?
Title
Goza - Nonprofit Charity WordPress Theme <= 3.2.2 - Missing Authorization to Unauthenticated Arbitrary File Deletion
Summary
The Goza - Nonprofit Charity WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the alone_import_pack_restore_data() function in all versions up to, and including, 3.2.2. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Severity ?
9.1 (Critical)
CWE
- CWE-73 - External Control of File Name or Path
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Bearsthemes | Goza - Nonprofit Charity WordPress Theme |
Affected:
3.2.2
|
Credits
Thái An
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10134",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-09T19:27:26.961665Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T19:27:34.597Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Goza - Nonprofit Charity WordPress Theme",
"vendor": "Bearsthemes",
"versions": [
{
"status": "affected",
"version": "3.2.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Th\u00e1i An"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Goza - Nonprofit Charity WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the alone_import_pack_restore_data() function in all versions up to, and including, 3.2.2. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-73",
"description": "CWE-73 External Control of File Name or Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T08:22:36.849Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/73efd9ad-9515-4ca8-bfb3-1d478f39c2b9?source=cve"
},
{
"url": "https://themeforest.net/item/goza-nonprofit-charity-wordpress-theme/23781575"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-07-14T15:24:20.000+00:00",
"value": "Disclosed"
}
],
"title": "Goza - Nonprofit Charity WordPress Theme \u003c= 3.2.2 - Missing Authorization to Unauthenticated Arbitrary File Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-10134",
"datePublished": "2025-09-09T08:22:36.849Z",
"dateReserved": "2025-09-08T20:03:24.392Z",
"dateUpdated": "2025-09-09T19:27:34.597Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-10690 (GCVE-0-2025-10690)
Vulnerability from nvd – Published: 2025-09-19 02:27 – Updated: 2025-09-19 13:09
VLAI?
Title
Goza - Nonprofit Charity WordPress Theme <= 3.2.2 - Missing Authorization to Unauthenticated Arbitrary File Upload via Plugin Installation
Summary
The Goza - Nonprofit Charity WordPress Theme theme for WordPress is vulnerable to unauthorized arbitrary file uploads due to a missing capability check on the 'beplus_import_pack_install_plugin' function in all versions up to, and including, 3.2.2. This makes it possible for unauthenticated attackers to upload zip files containing webshells disguised as plugins from remote locations to achieve remote code execution.
Severity ?
9.8 (Critical)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Bearsthemes | Goza - Nonprofit Charity WordPress Theme |
Affected:
* , ≤ 3.2.2
(semver)
|
Credits
grov x
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10690",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-19T13:09:25.232160Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-19T13:09:32.889Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Goza - Nonprofit Charity WordPress Theme",
"vendor": "Bearsthemes",
"versions": [
{
"lessThanOrEqual": "3.2.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "grov x"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Goza - Nonprofit Charity WordPress Theme theme for WordPress is vulnerable to unauthorized arbitrary file uploads due to a missing capability check on the \u0027beplus_import_pack_install_plugin\u0027 function in all versions up to, and including, 3.2.2. This makes it possible for unauthenticated attackers to upload zip files containing webshells disguised as plugins from remote locations to achieve remote code execution."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-19T02:27:00.685Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/628bfa19-2ffa-426b-8b88-22a0c4d0ba92?source=cve"
},
{
"url": "https://themeforest.net/item/goza-nonprofit-charity-wordpress-theme/23781575"
},
{
"url": "https://www.cve.org/CVERecord?id=CVE-2025-5394"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-08T19:58:15.000+00:00",
"value": "Disclosed"
}
],
"title": "Goza - Nonprofit Charity WordPress Theme \u003c= 3.2.2 - Missing Authorization to Unauthenticated Arbitrary File Upload via Plugin Installation"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-10690",
"datePublished": "2025-09-19T02:27:00.685Z",
"dateReserved": "2025-09-18T13:57:31.775Z",
"dateUpdated": "2025-09-19T13:09:32.889Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-10134 (GCVE-0-2025-10134)
Vulnerability from nvd – Published: 2025-09-09 08:22 – Updated: 2025-09-09 19:27
VLAI?
Title
Goza - Nonprofit Charity WordPress Theme <= 3.2.2 - Missing Authorization to Unauthenticated Arbitrary File Deletion
Summary
The Goza - Nonprofit Charity WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the alone_import_pack_restore_data() function in all versions up to, and including, 3.2.2. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Severity ?
9.1 (Critical)
CWE
- CWE-73 - External Control of File Name or Path
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Bearsthemes | Goza - Nonprofit Charity WordPress Theme |
Affected:
3.2.2
|
Credits
Thái An
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10134",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-09T19:27:26.961665Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T19:27:34.597Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Goza - Nonprofit Charity WordPress Theme",
"vendor": "Bearsthemes",
"versions": [
{
"status": "affected",
"version": "3.2.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Th\u00e1i An"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Goza - Nonprofit Charity WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the alone_import_pack_restore_data() function in all versions up to, and including, 3.2.2. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-73",
"description": "CWE-73 External Control of File Name or Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T08:22:36.849Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/73efd9ad-9515-4ca8-bfb3-1d478f39c2b9?source=cve"
},
{
"url": "https://themeforest.net/item/goza-nonprofit-charity-wordpress-theme/23781575"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-07-14T15:24:20.000+00:00",
"value": "Disclosed"
}
],
"title": "Goza - Nonprofit Charity WordPress Theme \u003c= 3.2.2 - Missing Authorization to Unauthenticated Arbitrary File Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-10134",
"datePublished": "2025-09-09T08:22:36.849Z",
"dateReserved": "2025-09-08T20:03:24.392Z",
"dateUpdated": "2025-09-09T19:27:34.597Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}