Kallyas <= 4.21.0 - Authenticated (Contributor+) Local File Inclusion

July 26, 2025 invoker category_cve

CVE Details

Basic Information

Title Kallyas <= 4.21.0 - Authenticated (Contributor+) Local File Inclusion
Type cve
Published 2025-07-26T07:23:52.298Z
Modified 2025-07-26T07:23:52.298Z

Product Information

Vendor hogash
Product KALLYAS – Creative eCommerce Multi-Purpose WordPress Theme
Version *

CVSS Information

Base Score 7.5 (HIGH)
Attack Vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products

  • hogash KALLYAS – Creative eCommerce Multi-Purpose WordPress Theme *

Additional Information

CWE List CWE-98
Source Wordfence

Description

The kallyas theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.21.0 via the ‘TH_LatestPosts4` widget. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.