A critical vulnerability has been identified in The Goza's Nonprofit Charity WordPress Theme, which could allow an attacker to delete arbitrary files on the server. This flaw, tracked as CVE-2025-10134 with a CVSS score of 9.1, can be exploited to cause a denial of service, destroy critical data, or potentially lead to a complete website takeover. Organizations using the affected theme are urged to apply the vendor's patch immediately to mitigate the significant risk of compromise.

The vulnerability exists within the alone_import_pack_restore_data() function of The Goza WordPress theme. Due to insufficient validation of user-supplied file paths, an authenticated attacker can use path traversal techniques (e.g., ../../) to target and delete files outside of the intended directory. By crafting a malicious request to this function, an attacker could delete critical WordPress core files, such as wp-config.php, effectively disabling the website or forcing it into a re-installation state that the attacker could then control.

This vulnerability is rated as critical severity with a CVSS score of 9.1, posing a significant threat to business operations. Successful exploitation could lead to immediate and severe consequences, including website defacement, extended downtime (denial of service), and irreversible loss of website data if backups are not available. The deletion of configuration files could allow an attacker to initiate the WordPress setup process and gain full administrative control over the website, leading to a complete compromise of sensitive information, reputational damage, and potential loss of donor trust.

Immediate Action: Immediately update The Goza Multiple Products to the latest patched version provided by the vendor. Before deploying to production, test the update in a staging environment to ensure compatibility. Concurrently, begin reviewing web server and application access logs for any suspicious activity related to the vulnerable function.

Proactive Monitoring: Implement enhanced monitoring of the web server. Specifically, look for unusual POST requests to WordPress admin functions that reference alone_import_pack_restore_data(). Utilize a File Integrity Monitoring (FIM) system to alert on any unauthorized changes or deletions to critical files, especially wp-config.php, .htaccess, and core theme/plugin files.

Compensating Controls: If immediate patching is not feasible, implement the following controls:

• Deploy a Web Application Firewall (WAF) with rules designed to block path traversal attack patterns.
• Restrict access to the WordPress administrative dashboard (/wp-admin/) to only trusted IP addresses.
• Enforce the principle of least privilege for all WordPress user accounts to limit the number of users who could potentially exploit the vulnerability.
• Ensure a robust and tested backup and recovery plan is in place to restore the website in the event of a compromise.

Public Exploit Available: false

Given the critical CVSS score of 9.1, this vulnerability requires immediate attention. The potential for complete website compromise presents an unacceptable risk. We strongly recommend that organizations prioritize the deployment of the vendor-supplied patch across all affected websites without delay. Although this CVE is not currently listed on the CISA KEV catalog, its high impact makes it a likely candidate for future inclusion. Proactive patching and monitoring are the most effective measures to prevent exploitation.