Overview
The CVE-2025-10690 vulnerability is a potent security flaw that poses a significant threat to users of the Goza WordPress theme. This vulnerability, which affects all versions of the theme up to and including version 3.2.2, allows for unauthorized arbitrary file uploads. This flaw can lead to devastating consequences, potentially leading to full system compromise and data leakage. The severity of this vulnerability mandates immediate action and attention from both cybersecurity professionals and users of the affected theme.
The Goza – Nonprofit Charity WordPress Theme is widely used by numerous nonprofits and charities for their WordPress sites. This vulnerability, therefore, has far-reaching implications, potentially affecting a large number of users and organizations. The risk this vulnerability presents should not be underestimated, and immediate action should be taken to mitigate its potential impact.
Vulnerability Summary
CVE ID: CVE-2025-10690
Severity: Critical (9.8)
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: Potential full system compromise or data leakage
Affected Products
Escape the Surveillance Era
Most apps won’t tell you the truth.
They’re part of the problem.
Phone numbers. Emails. Profiles. Logs.
It’s all fuel for surveillance.
Ameeba Chat gives you a way out.
- • No phone number
- • No email
- • No personal info
- • Anonymous aliases
- • End-to-end encrypted
Chat without a trace.
Product | Affected Versions
Goza – Nonprofit Charity WordPress Theme | Up to, and including, 3.2.2
How the Exploit Works
The CVE-2025-10690 vulnerability arises due to a missing capability check on the ‘beplus_import_pack_install_plugin’ function in the Goza WordPress theme. This missing check allows an attacker to upload arbitrary files, including zip files containing malicious webshells, disguised as plugins. These can be uploaded from remote locations without authentication, providing the attacker with the ability to execute remote code on the affected system.
Conceptual Example Code
Here is a conceptual example of how an attacker might exploit this vulnerability:
POST /wp-content/themes/goza/beplus_import_pack_install_plugin HTTP/1.1
Host: target.example.com
Content-Type: application/zip
{ "file": "webshell.zip" }In this example, the attacker sends a POST request to the ‘beplus_import_pack_install_plugin’ function, uploading a zip file (‘webshell.zip’) containing a malicious webshell. This webshell, once installed, gives the attacker the ability to execute remote code on the affected system, potentially leading to full system compromise or data leakage.
Mitigation Guidance
To mitigate the risks associated with this vulnerability, users of the affected Goza WordPress theme are urged to apply the latest vendor patch. As a temporary measure, users may also use a Web Application Firewall (WAF) or an Intrusion Detection System (IDS). These measures can help to block or detect malicious file uploads, reducing the potential impact of this vulnerability until a permanent solution can be implemented.
