{"id":76140,"date":"2025-09-25T14:17:14","date_gmt":"2025-09-25T14:17:14","guid":{"rendered":""},"modified":"2025-10-21T14:51:51","modified_gmt":"2025-10-21T20:51:51","slug":"cve-2025-10690-high-risk-unauthorized-file-upload-vulnerability-in-goza-nonprofit-charity-wordpress-theme","status":"publish","type":"post","link":"https:\/\/www.ameeba.com\/blog\/cve-2025-10690-high-risk-unauthorized-file-upload-vulnerability-in-goza-nonprofit-charity-wordpress-theme\/","title":{"rendered":"<strong>CVE-2025-10690: High-Risk Unauthorized File Upload Vulnerability in Goza &#8211; Nonprofit Charity WordPress Theme<\/strong>"},"content":{"rendered":"<p><strong>Overview<\/strong><\/p>\n<p>The CVE-2025-10690 vulnerability is a potent security flaw that poses a significant threat to users of the Goza WordPress theme. This vulnerability, which affects all versions of the theme up to and including version 3.2.2, allows for unauthorized arbitrary file uploads. This flaw can lead to devastating consequences, <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-7775-critical-memory-overflow-vulnerability-in-netscaler-adc-and-gateway-leading-to-potential-system-compromise\/\"  data-wpil-monitor-id=\"83866\">potentially leading to full system<\/a> compromise and data leakage. The <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-50972-sql-injection-vulnerability-in-abantecart-1-4-2-with-a-high-severity-score\/\"  data-wpil-monitor-id=\"83518\">severity of this vulnerability<\/a> mandates immediate action and attention from both cybersecurity professionals and users of the affected theme.<br \/>\nThe Goza &#8211; Nonprofit Charity <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-8592-wordpress-inspiro-theme-vulnerability-to-cross-site-request-forgery-csrf\/\"  data-wpil-monitor-id=\"85364\">WordPress Theme<\/a> is widely used by numerous nonprofits and charities for their WordPress sites. This vulnerability, therefore, has far-reaching implications, potentially affecting a large number of users and organizations. The <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-52930-high-risk-memory-corruption-vulnerability-in-sail-image-decoding-library\/\"  data-wpil-monitor-id=\"90874\">risk this vulnerability<\/a> presents should not be underestimated, and immediate action should be taken to mitigate its potential impact.<\/p>\n<p><strong>Vulnerability Summary<\/strong><\/p>\n<p>CVE ID: CVE-2025-10690<br \/>\nSeverity: Critical (9.8)<br \/>\nAttack Vector: Network<br \/>\nPrivileges Required: None<br \/>\nUser Interaction: None<br \/>\nImpact: <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-9253-stack-based-buffer-overflow-on-linksys-wi-fi-range-extenders-leading-to-potential-system-compromise\/\"  data-wpil-monitor-id=\"84354\">Potential full system<\/a> compromise or data leakage<\/p>\n<p><strong>Affected Products<\/strong><\/p><div id=\"ameeb-1048658737\" class=\"ameeb-content-2 ameeb-entity-placement\"><div style=\"border-left: 4px solid #555; padding-left: 20px; margin: 48px 0; font-family: Roboto, sans-serif; color: #ffffff; line-height: 1.6; max-width: 700px;\">\r\n  <h2 style=\"margin-top: 0; font-size: 20px; font-weight: 600; display: flex; align-items: center;\">\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\" style=\"display: inline-flex; align-items: center; margin-right: 8px;\">\r\n      <img decoding=\"async\" src=\"https:\/\/www.ameeba.com\/blog\/wp-content\/uploads\/2025\/10\/Best-App-icon-Ameeba.png\" alt=\"Ameeba Chat Icon\" style=\"width: 40px; height: 40px;\" \/>\r\n    <\/a>\r\n    A new way to communicate\r\n  <\/h2>\r\n\r\n  <p style=\"margin-bottom: 12px;\">\r\n    Ameeba Chat is built on encrypted identity, not personal profiles.\r\n  <\/p>\r\n\r\n  <p style=\"margin-bottom: 16px;\">\r\n    Message, call, share files, and coordinate with identities kept separate.\r\n  <\/p>\r\n\r\n  <ul style=\"list-style: none; padding-left: 0; margin-bottom: 20px;\">\r\n    <li>\u2022 Encrypted identity<\/li>\r\n    <li>\u2022 Ameeba Chat authenticates access<\/li>\r\n    <li>\u2022 Aliases and categories<\/li>\r\n    <li>\u2022 End-to-end encrypted chat, calls, and files<\/li>\r\n    <li>\u2022 Secure notes for sensitive information<\/li>\r\n  <\/ul>\r\n\r\n  <p style=\"font-style: italic; font-weight: 600; margin-bottom: 24px;\">\r\n    Private communication, rethought.\r\n  <\/p>\r\n\r\n  <div style=\"display: flex; flex-wrap: wrap; gap: 12px;\">\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\/download\" style=\"background-color: #ffffff; color: #000000; padding: 10px 20px; text-decoration: none; border-radius: 6px; font-weight: 500;\">Download Ameeba Chat<\/a>\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\" style=\"border: 1px solid #ffffff; color: #ffffff; padding: 10px 20px; text-decoration: none; border-radius: 6px; font-weight: 500;\">Learn More<\/a>\r\n  <\/div>\r\n<\/div>\r\n<\/div>\n<p>Product | Affected Versions<\/p>\n<p><a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-10134-arbitrary-file-deletion-vulnerability-in-goza-nonprofit-charity-wordpress-theme\/\"  data-wpil-monitor-id=\"89087\">Goza &#8211; Nonprofit Charity WordPress<\/a> Theme | Up to, and including, 3.2.2<\/p>\n<p><strong>How the Exploit Works<\/strong><\/p>\n<p>The CVE-2025-10690 vulnerability arises due to a missing capability check on the &#8216;beplus_import_pack_install_plugin&#8217; function in the <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-53243-critical-vulnerability-in-wordpress-employee-directory-plugin\/\"  data-wpil-monitor-id=\"85205\">Goza WordPress<\/a> theme. This missing check allows an attacker to <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-55454-authenticated-arbitrary-file-upload-vulnerability-in-dootask-v1-0-51\/\"  data-wpil-monitor-id=\"84429\">upload arbitrary files<\/a>, including zip files containing malicious webshells, disguised as plugins. These can be uploaded from remote locations without authentication, providing the attacker with the ability to <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-0074-critical-remote-code-execution-vulnerability-in-sdp-discovery\/\"  data-wpil-monitor-id=\"83630\">execute remote code<\/a> on the affected system.<\/p>\n<p><strong>Conceptual Example Code<\/strong><\/p><div id=\"ameeb-2484818835\" class=\"ameeb-content ameeb-entity-placement\"><div class=\"poptin-embedded\" data-id=\"f6b387694f681\"><\/div>\r\n\r\n\r\n\r\n\r\n\r\n<\/div>\n<p>Here is a conceptual example of how an attacker might exploit this vulnerability:<\/p>\n<pre><code class=\"\" data-line=\"\">POST \/wp-content\/themes\/goza\/beplus_import_pack_install_plugin HTTP\/1.1\nHost: target.example.com\nContent-Type: application\/zip\n{ &quot;file&quot;: &quot;webshell.zip&quot; }<\/code><\/pre>\n<p>In this example, the attacker sends a POST request to the &#8216;beplus_import_pack_install_plugin&#8217; function, <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-31100-unrestricted-file-upload-leads-to-web-shell-deployment-in-mojoomla-school-management\/\"  data-wpil-monitor-id=\"84672\">uploading a zip file<\/a> (&#8216;webshell.zip&#8217;) containing a malicious webshell. This webshell, once installed, gives the attacker the ability to <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-22403-remote-code-execution-vulnerability-in-sdp-discovery-cc\/\"  data-wpil-monitor-id=\"83900\">execute remote code<\/a> on the affected system, potentially leading to full system compromise or data leakage.<\/p>\n<p><strong>Mitigation Guidance<\/strong><\/p>\n<p>To mitigate the risks associated with this vulnerability, <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-9114-critical-arbitrary-user-password-change-vulnerability-in-doccure-wordpress-theme\/\"  data-wpil-monitor-id=\"88261\">users of the affected Goza WordPress<\/a> theme are urged to apply the latest vendor patch. As a temporary measure, users may also use a Web Application Firewall (WAF) or an Intrusion Detection System (IDS). These measures can help to block or detect malicious file uploads, reducing the <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-9791-critical-vulnerability-in-tenda-ac20-16-03-08-05-leading-to-potential-system-compromise\/\"  data-wpil-monitor-id=\"84974\">potential impact of this vulnerability<\/a> until a permanent solution can be implemented.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Overview The CVE-2025-10690 vulnerability is a potent security flaw that poses a significant threat to users of the Goza WordPress theme. This vulnerability, which affects all versions of the theme up to and including version 3.2.2, allows for unauthorized arbitrary file uploads. This flaw can lead to devastating consequences, potentially leading to full system compromise [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"footnotes":""},"categories":[1],"tags":[],"vendor":[],"product":[],"attack_vector":[],"asset_type":[],"severity":[],"exploit_status":[],"class_list":["post-76140","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/76140","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/comments?post=76140"}],"version-history":[{"count":13,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/76140\/revisions"}],"predecessor-version":[{"id":83820,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/76140\/revisions\/83820"}],"wp:attachment":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/media?parent=76140"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/categories?post=76140"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/tags?post=76140"},{"taxonomy":"vendor","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/vendor?post=76140"},{"taxonomy":"product","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/product?post=76140"},{"taxonomy":"attack_vector","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/attack_vector?post=76140"},{"taxonomy":"asset_type","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/asset_type?post=76140"},{"taxonomy":"severity","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/severity?post=76140"},{"taxonomy":"exploit_status","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/exploit_status?post=76140"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}