CVE Details
Basic Information
| Title | Kallyas <= 4.21.0 - Authenticated (Contributor+) Arbitrary Folder Deletion |
|---|---|
| Type | cve |
| Published | 2025-07-26T07:23:51.894Z |
| Modified | 2025-07-26T07:23:51.894Z |
Product Information
| Vendor | hogash |
|---|---|
| Product | KALLYAS – Creative eCommerce Multi-Purpose WordPress Theme |
| Version | * |
CVSS Information
| Base Score | 8.1 (HIGH) |
|---|---|
| Attack Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H |
AI Analysis
| AI Description | The Kallyas WordPress theme is vulnerable to arbitrary folder deletion by authenticated attackers with Contributor access or higher, due to insufficient file path validation in the delete_font() function. This affects all versions up to 4.21.0. |
|---|---|
| AI Severity | High |
| AI Vendor | hogash |
| AI Product | KALLYAS – Creative eCommerce Multi-Purpose WordPress Theme |
| AI Version | <=4.21.0 |
Affected Products
- hogash KALLYAS – Creative eCommerce Multi-Purpose WordPress Theme *
Additional Information
| CWE List | CWE-22 |
|---|---|
| Source | Wordfence |
Description
The Kallyas theme for WordPress is vulnerable to arbitrary folder deletion due to insufficient file path validation in the delete_font() function in all versions up to, and including, 4.21.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary folders on the server.