Kallyas

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

The kallyas theme for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.24.0 via the `TH_PhpCode` pagebuilder widget. This is due to the theme not restricting access to the code editor widget for non-administrators. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.

AI Analysis

Remote Code Execution vulnerability in Kallyas theme for WordPress due to unrestricted access to the code editor widget

Basic Information

ID CVE-2025-6990

Source Wordfence

Published Nov 1, 2025 at 07:30

Affected Product

Vendor hogash

Product KALLYAS - Creative eCommerce Multi-Purpose WordPress Theme

Version *

Affected Versions hogash KALLYAS - Creative eCommerce Multi-Purpose WordPress Theme *

CWE Classification

CWE-94

AI Assessment

AI Score 8.8 / 10

AI Severity High

Vendor hogash

Product Kallyas theme for WordPress

Version 4.24.0 and below

References

{
    "lastseen": "",
    "description": "The kallyas theme for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.24.0 via the  `TH_PhpCode` pagebuilder widget. This is due to the theme not restricting access to the code editor widget for non-administrators. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.",
    "published": "2025-11-01T07:30:03.218Z",
    "modified": "2025-11-01T07:30:03.218Z",
    "type": "cve",
    "title": "Kallyas <= 4.24.0 - Authenticated (Contributor+) Remote Code Execution",
    "source": "Wordfence",
    "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/721d29e4-397d-4965-bd64-33bced8e5de4?source=cve\nhttps://my.hogash.com/changelog_category/kallyas-wordpress-theme/",
    "id": "CVE-2025-6990",
    "bulletinFamily": "",
    "cwe": [
        "CWE-94"
    ],
    "cvelist": null,
    "sourceData": "hogash KALLYAS - Creative eCommerce Multi-Purpose WordPress Theme *",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "KALLYAS - Creative eCommerce Multi-Purpose WordPress Theme",
    "version": "*",
    "vendor": "hogash",
    "ai_description": "Remote Code Execution vulnerability in Kallyas theme for WordPress due to unrestricted access to the code editor widget",
    "ai_severity": "High",
    "ai_vendor": "hogash",
    "ai_product": "Kallyas theme for WordPress",
    "ai_version": "4.24.0 and below",
    "ai_score": 8.8
}

Kallyas <= 4.24.0 - Authenticated (Contributor+) Remote Code Execution_CVE-2025-6990