CVE-2025-10134 is a critical security vulnerability affecting the Goza - Nonprofit Charity WordPress theme developed by Bearsthemes, specifically in all versions up to and including 3.2.2. The vulnerability stems from insufficient validation of file paths in the alone_import_pack_restore_data() function. This flaw allows unauthenticated attackers to perform arbitrary file deletion on the web server hosting the WordPress site. By manipulating the file path parameters, attackers can delete critical files such as wp-config.php, which contains database credentials and configuration settings. Deleting such files can lead to remote code execution, as attackers may leverage the resulting system state to upload malicious code or gain further control over the server. The vulnerability requires no authentication or user interaction, making it highly exploitable remotely over the network. The CVSS v3.1 base score is 9.1, reflecting the ease of exploitation (network vector, low attack complexity, no privileges required, no user interaction) and the severe impact on integrity and availability. Although no known exploits have been reported in the wild yet, the vulnerability poses a significant risk to WordPress sites using this theme, especially those that are publicly accessible and not behind additional protective layers. The lack of an official patch at the time of reporting further increases the urgency for mitigation.

The impact of CVE-2025-10134 is severe for organizations using the Goza WordPress theme. Arbitrary file deletion can disrupt website functionality, cause data loss, and compromise site integrity. Deletion of critical files like wp-config.php can lead to remote code execution, allowing attackers to take full control of the affected server. This can result in defacement, data breaches, deployment of malware, or use of the compromised server for further attacks. Nonprofit organizations relying on this theme for their online presence may face reputational damage and operational downtime. The vulnerability’s unauthenticated and network-exploitable nature means attackers can easily target vulnerable sites en masse, increasing the risk of widespread exploitation. Additionally, the loss of availability and integrity can affect trust and service continuity, impacting donations, communications, and other critical nonprofit functions.

To mitigate this vulnerability, organizations should immediately upgrade the Goza theme to a patched version once available from Bearsthemes. Until a patch is released, administrators should disable or restrict access to the vulnerable alone_import_pack_restore_data() function, possibly by disabling theme import features or restricting access via web application firewalls (WAFs) or server-level access controls. Implementing strict input validation and sanitization on file path parameters can reduce risk. Regular backups of critical files like wp-config.php should be maintained to enable quick recovery. Monitoring web server logs for suspicious requests targeting the import functionality can help detect exploitation attempts. Additionally, applying the principle of least privilege to the web server’s file system permissions can limit the damage caused by arbitrary file deletion. Employing security plugins that detect and block malicious activity on WordPress sites is also recommended. Finally, organizations should conduct security audits to identify and remediate other potential vulnerabilities in their WordPress environment.