CVE Alert: CVE-2025-6990 - hogash - KALLYAS - Creative eCommerce Multi-Purpose WordPress Theme

CVE-2025-6990

HIGHNo exploitation known

The kallyas theme for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.24.0 via the `TH_PhpCode` pagebuilder widget. This is due to the theme not restricting access to the code editor widget for non-administrators. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.

CVSS v3.1 (8.8)

Vendor

hogash

Product

KALLYAS – Creative eCommerce Multi-Purpose WordPress Theme

Versions

* lte 4.24.0

CWE

CWE-94, CWE-94 Improper Control of Generation of Code (‘Code Injection’)

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Published

2025-11-01T07:30:03.218Z

Updated

2025-11-01T07:30:03.218Z

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/721d29e4-397d-4965-bd64-33bced8e5de4?source=cve

https://my.hogash.com/changelog_category/kallyas-wordpress-theme/

AI Summary Analysis

Risk verdict

High risk of authenticated remote code execution on affected KALLYAS themes; patch promptly to prevent potential full site compromise.

Why this matters

Attacker goals could include arbitrary server code execution, site defacement, data exfiltration, or compromise of customer transactions on WordPress e-commerce sites. Since access requires Contributor-level authentication, the impact is significant for sites where contributor accounts exist, but the barrier is insufficient on exposed admin interfaces or misconfigured roles.

Most likely attack path

An attacker with Contributor-level (or higher) access logs in and uses the TH_PhpCode widget to inject or execute code that the theme editor fails to restrict. With network-possible access, the attacker does not need physical proximity but does need valid authentication. Once code execution is achieved, they can operate within the server context (Scope unchanged), enabling lateral moves or persistence as needed.

Who is most exposed

WordPress sites using the KALLYAS theme up to version 4.24.0, especially those with contributor accounts or weak role governance, on shared or managed WordPress hosting where theme editors or code widgets are accessible.

Detection ideas

Unexpected PHP code execution via the TH_PhpCode widget (anomalous edits in theme editor).
Shell-like processes or PHP eval/base64_decode activity from web server logs.
Unusual file edits in the theme directory or wp-content/uploads paths tied to the widget.
Elevated activity after user login from contributor accounts (abnormal session patterns).
Webshell indicators or outbound connections from the web server.

Mitigation and prioritisation

Patch to a non-vulnerable KALLYAS release (≥ 4.24.1 or as advised by the vendor); verify integrity of theme files.
Disable direct access to code editors for non-admins; enable WordPress DISALLOW_FILE_EDIT.
Enforce least-privilege: restrict contributor accounts, review roles, and disable unused accounts.
Implement primary controls: MFA for admin accounts, WAF rules targeting RCE patterns, and monitor for suspicious widget usage.
Change-management: test patch in staging, plan a staged rollout, and audit post-patch access logs. If KEV or EPSS indicators become positive, elevate to priority 1.

Support Our Work

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.

AI APIs OSINT driven New features

Buy Me A Coffee Patreon

Tags: CVE, cve-2025-6990, hogash, kallyas-creative-ecommerce-multi-purpose-wordpress-theme, OSINT, threatintel