CVE-2025-10134 is a critical security vulnerability found in the Goza - Nonprofit Charity WordPress Theme developed by Bearsthemes, specifically affecting all versions up to and including 3.2.2. The vulnerability arises from insufficient validation of file paths in the function alone_import_pack_restore_data(). This flaw allows unauthenticated attackers to perform arbitrary file deletion on the server hosting the WordPress site. Because the vulnerability does not require any authentication or user interaction, it can be exploited remotely over the network. The impact of arbitrary file deletion is severe; attackers can delete critical files such as wp-config.php, which contains database credentials and configuration settings. Deleting such files can lead to denial of service by breaking the website or, more dangerously, enable remote code execution (RCE) if attackers manipulate the environment or trigger fallback behaviors. The CVSS v3.1 score of 9.1 (critical) reflects the high impact on integrity and availability, with no required privileges or user interaction and network attack vector. Although no known exploits are currently reported in the wild, the vulnerability's nature and ease of exploitation make it a high-risk threat. The CWE-73 classification (External Control of File Name or Path) highlights the root cause as improper sanitization or validation of user-supplied input controlling file paths, a common and dangerous security weakness in web applications. This vulnerability is particularly concerning for WordPress sites using the Goza theme, which is targeted at nonprofit and charity organizations, potentially exposing sensitive data and disrupting critical services.

For European organizations, especially nonprofits and charities that rely on WordPress and the Goza theme, this vulnerability poses a significant risk. Exploitation can lead to website defacement, data loss, or complete service disruption, undermining trust and operational continuity. The deletion of configuration files or other critical assets can facilitate further attacks, including remote code execution, allowing attackers to gain persistent access or pivot within the network. This can result in data breaches, loss of donor information, and reputational damage. Given the theme's focus on nonprofit entities, many of which handle sensitive personal and financial data, the impact extends beyond availability to potential confidentiality breaches. Additionally, disruption of online fundraising or communication platforms can have direct financial and social consequences. The vulnerability's unauthenticated and remote exploitation vector increases the likelihood of automated scanning and attacks, making timely mitigation essential for European organizations to maintain compliance with data protection regulations such as GDPR.

To mitigate this vulnerability, organizations should immediately update the Goza theme to a patched version once released by Bearsthemes. In the absence of an official patch, temporarily disabling or removing the vulnerable alone_import_pack_restore_data() functionality or restricting access to it via web application firewall (WAF) rules can reduce risk. Implementing strict input validation and sanitization on file path parameters is critical to prevent exploitation. Organizations should also conduct thorough audits of their WordPress installations to identify the use of the Goza theme and verify version numbers. Regular backups of website files and configurations should be maintained to enable rapid recovery in case of file deletion. Monitoring web server logs and employing intrusion detection systems to detect unusual file deletion attempts can provide early warning. Additionally, restricting file system permissions for the web server user to limit the ability to delete critical files can reduce impact. Finally, educating site administrators about the risks and ensuring timely application of security updates is essential to maintain a secure environment.