A critical vulnerability has been identified in The Goza's Nonprofit Charity WordPress Theme, which allows an unauthenticated attacker to upload arbitrary files to an affected website. Successful exploitation could lead to a complete compromise of the web server, enabling the attacker to execute malicious code, steal sensitive data, and take full control of the site. Due to the high severity (CVSS 9.8), immediate patching is required to prevent a potential breach.

The vulnerability exists within the beplus_import_pack_install_plugin function of The Goza WordPress theme. This function fails to perform a proper capability check, which is a security mechanism in WordPress used to verify if a user has the necessary permissions to perform a specific action. Because this check is missing, an unauthenticated attacker can directly call this function and leverage it to upload a malicious file (such as a PHP web shell) to the server, resulting in arbitrary code execution.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Exploitation could have a devastating impact on the organization, leading to a full system compromise. Potential consequences include the theft of sensitive data (customer information, payment details, internal documents), website defacement, service disruption, and reputational damage. The compromised server could also be used as a pivot point to launch further attacks against the internal network or be leveraged to distribute malware and host phishing campaigns, creating significant legal and financial liabilities.

Immediate Action: Immediately update The Goza theme and any related affected products to the latest patched version as recommended by the vendor. After patching, it is crucial to review web server access logs and file system logs for any signs of exploitation that may have occurred prior to the update.

Proactive Monitoring: Monitor web server logs for suspicious POST requests, particularly those targeting WordPress AJAX endpoints (e.g., wp-admin/admin-ajax.php) that reference the beplus_import_pack_install_plugin action. Implement file integrity monitoring to detect the creation of unexpected or unauthorized files (e.g., .php, .phtml) in web-accessible directories, such as /wp-content/uploads/.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with a rule to block any requests attempting to access the vulnerable beplus_import_pack_install_plugin function. Additionally, consider disabling the theme temporarily until a patch can be applied. Harden server permissions to prevent the execution of scripts from upload directories as a defense-in-depth measure.

Public Exploit Available: false

Given the critical CVSS score of 9.8, this vulnerability poses a severe and immediate risk to the organization. The Analyst recommends that all systems running the affected Goza products be patched immediately without delay. Although this CVE is not currently listed on the CISA KEV catalog, its high severity makes it a prime candidate for future inclusion. Organizations should assume they may have already been compromised if running a vulnerable version and should actively hunt for indicators of compromise, such as unexpected files on the server or suspicious outbound network traffic.