CVE-2025-10134: 
WordPress vulnerability analysis and mitigation

The Goza - Nonprofit Charity WordPress Theme for WordPress contains a critical vulnerability (CVE-2025-10134) that affects all versions up to and including 3.2.2. The vulnerability was discovered and reported by Wordfence, with the initial disclosure made on September 9, 2025 (NVD).

The vulnerability stems from insufficient file path validation in the aloneimportpackrestoredata() function. This security flaw has been assigned a CVSS v3.1 base score of 9.1 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H. The weakness is classified as CWE-73 (External Control of File Name or Path) (Wordfence).

The vulnerability allows unauthenticated attackers to delete arbitrary files on the server. This capability is particularly dangerous as it can lead to remote code execution when critical files, such as wp-config.php, are targeted. The high severity rating reflects the potential for significant system compromise (NVD).

Website administrators running the Goza - Nonprofit Charity WordPress Theme should immediately update their installations to a version newer than 3.2.2 when available. In the interim, it is recommended to implement additional security measures such as web application firewalls and regular security monitoring (Themeforest).