CyberRota
← Ana sayfaya dön

CVE-2026-4804

MEDIUM · CVSS 6.4

Kaynak: NVD + CISA KEV + EPSS · Yayınlanma: 2026-07-03T09:16:37.520 · Çekilme zamanı: 2026-07-03T12:08:37.686853+00:00

CyberRota Yorumu

Detaylı analiz gerekiyor.

CVE
CVE-2026-4804
Severity
MEDIUM
CVSS
6.4
EPSS
Yok
WordPress

Orijinal NVD Açıklaması

The Zakra theme for WordPress is vulnerable to Stored Cross-Site Scripting via post meta values in all versions up to, and including, 4.2.0. This is due to the theme registering three post meta fields (zakra_menu_item_color, zakra_menu_item_hover_color, and zakra_menu_item_active_color) with 'show_in_rest' => true and 'auth_callback' => '__return_true', but without any sanitize_callback parameter in the register_post_meta() calls. While the classic editor save path applies sanitize_hex_color() sanitization, the REST API path completely bypasses this protection. The unsanitized meta values are then retrieved via get_post_meta() and concatenated directly into CSS strings that are output through wp_add_inline_style() without any escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page.