CVE-2025-10690 is a critical security vulnerability affecting the Goza - Nonprofit Charity WordPress Theme developed by Bearsthemes, specifically all versions up to and including 3.2.2. The vulnerability stems from a missing authorization check (CWE-862) in the 'beplus_import_pack_install_plugin' function. This function is responsible for importing and installing plugin packages, but due to the lack of capability verification, it allows unauthenticated attackers to upload arbitrary zip files remotely. These zip files can contain malicious webshells disguised as legitimate plugins. Once uploaded, attackers can execute arbitrary code on the affected WordPress site, leading to full remote code execution (RCE). The vulnerability has a CVSS v3.1 base score of 9.8, indicating critical severity with network attack vector, no required privileges, no user interaction, and high impact on confidentiality, integrity, and availability. Although no public exploits are currently known in the wild, the ease of exploitation and the critical impact make this a highly dangerous threat. The absence of patches at the time of disclosure further exacerbates the risk for users of this theme. This vulnerability is particularly concerning because WordPress themes are widely used and often trusted components, and unauthorized plugin installation can compromise the entire web server environment hosting the site.

For European organizations, especially nonprofits and charities using the Goza WordPress theme, this vulnerability poses a severe risk. Successful exploitation can lead to complete site takeover, data breaches involving sensitive donor or organizational information, defacement, or use of the compromised server for further attacks such as phishing or malware distribution. The impact extends beyond the individual site to the hosting infrastructure, potentially affecting shared hosting environments common in Europe. Given the GDPR regulations, any data breach resulting from this vulnerability could lead to significant legal and financial penalties. Additionally, reputational damage to nonprofit organizations can undermine trust and funding. The critical nature of the vulnerability means attackers can operate remotely without authentication or user interaction, increasing the likelihood of automated scanning and exploitation attempts targeting European websites.

Immediate mitigation steps include disabling or removing the Goza theme until a secure update is released. Organizations should monitor their WordPress installations for unauthorized plugin uploads or unexpected zip files in plugin directories. Implementing Web Application Firewalls (WAFs) with rules to block suspicious file upload patterns can reduce exposure. Restrict file upload permissions on the server to prevent unauthorized writes outside expected directories. Regularly audit user roles and capabilities to ensure no excessive privileges are granted. Employ intrusion detection systems to identify anomalous webshell activity. Once a patch is available, promptly update the theme to the fixed version. Additionally, organizations should maintain regular backups and have an incident response plan to quickly recover from potential compromises. Educating site administrators about this vulnerability and encouraging the use of security plugins that monitor file integrity can further reduce risk.