CVE-2025-10690 is a critical security vulnerability identified in the Bearsthemes Goza - Nonprofit Charity WordPress Theme, affecting all versions up to and including 3.2.2. The root cause is a missing authorization check (CWE-862) in the 'beplus_import_pack_install_plugin' function, which is responsible for importing plugin packs. This missing capability check allows unauthenticated attackers to upload arbitrary zip files remotely. These zip files can contain webshells disguised as legitimate plugins, enabling attackers to execute arbitrary code on the affected server. The vulnerability does not require any authentication or user interaction, making it trivially exploitable over the network. The CVSS v3.1 base score of 9.8 reflects the critical nature of this flaw, with attack vector being network (AV:N), no privileges required (PR:N), no user interaction (UI:N), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). The vulnerability is particularly dangerous because it allows full remote code execution, potentially leading to complete server takeover, data theft, defacement, or use of the server as a pivot point for further attacks. Despite no known exploits in the wild at the time of publication, the vulnerability's characteristics make it a prime target for attackers. The affected product is a WordPress theme used primarily by nonprofit organizations, which may have less robust security postures, increasing risk. No official patches or updates have been linked yet, emphasizing the need for immediate mitigation steps by administrators.

The impact of CVE-2025-10690 is severe and wide-ranging. Successful exploitation results in remote code execution with no authentication, allowing attackers to fully compromise affected WordPress sites. This can lead to unauthorized data access, data modification or deletion, website defacement, and use of the compromised server to launch further attacks such as phishing, malware distribution, or lateral movement within networks. Nonprofit organizations using the Goza theme may face reputational damage, loss of donor trust, and potential legal consequences due to data breaches. Additionally, compromised servers can be enlisted into botnets or used to attack other targets, amplifying the threat. The vulnerability's ease of exploitation and high impact on confidentiality, integrity, and availability make it a critical risk for organizations worldwide using this theme. The lack of authentication and user interaction requirements means automated attacks and mass exploitation campaigns are feasible, increasing the threat landscape significantly.

1. Immediate removal or disabling of the Goza - Nonprofit Charity WordPress Theme until a patched version is released. 2. Monitor official Bearsthemes channels and WordPress theme repositories for security updates or patches addressing CVE-2025-10690 and apply them promptly. 3. Implement Web Application Firewall (WAF) rules to block requests targeting the 'beplus_import_pack_install_plugin' function or suspicious plugin upload attempts. 4. Restrict file upload permissions on the server to prevent unauthorized write access, especially to plugin directories. 5. Conduct thorough audits of existing installations for any signs of compromise, including unknown plugins or webshell files. 6. Harden WordPress installations by disabling plugin and theme installations for non-admin users and limiting administrative access via IP whitelisting or multi-factor authentication. 7. Regularly back up WordPress sites and databases to enable quick recovery in case of compromise. 8. Employ intrusion detection systems to alert on anomalous file uploads or code execution patterns. 9. Educate site administrators about the risks of installing unverified themes and plugins and encourage use of only trusted sources. 10. Consider isolating WordPress environments using containerization or sandboxing to limit the blast radius of potential exploits.