{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-6988", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-07-01T20:55:18.023Z", "datePublished": "2025-11-01T07:30:04.897Z", "dateUpdated": "2026-04-08T17:05:36.409Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:05:36.409Z"}, "affected": [{"vendor": "hogash", "product": "KALLYAS - Creative eCommerce Multi-Purpose WordPress Theme", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.23.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The kallyas theme for WordPress is vulnerable to Stored Cross-Site Scripting via several of the plugin's shortcodes in all versions up to, and including, 4.23.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Kallyas <= 4.23.0 - Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/89f4d353-bb6a-4520-bb3e-a0121fb4bf9b?source=cve"}, {"url": "https://my.hogash.com/changelog_category/kallyas-wordpress-theme/#4-24-0"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Matthew Rollings"}], "timeline": [{"time": "2025-10-31T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-03T13:10:33.546697Z", "id": "CVE-2025-6988", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-03T13:30:11.443Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-6988", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-03T13:10:33.546697Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-03T13:10:34.300Z"}}], "cna": {"title": "Kallyas <= 4.23.0 - Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Matthew Rollings"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "hogash", "product": "KALLYAS - Creative eCommerce Multi-Purpose WordPress Theme", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.23.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-31T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/89f4d353-bb6a-4520-bb3e-a0121fb4bf9b?source=cve"}, {"url": "https://my.hogash.com/changelog_category/kallyas-wordpress-theme/#4-24-0"}], "descriptions": [{"lang": "en", "value": "The kallyas theme for WordPress is vulnerable to Stored Cross-Site Scripting via several of the plugin's shortcodes in all versions up to, and including, 4.23.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:05:36.409Z"}}}, "cveMetadata": {"cveId": "CVE-2025-6988", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:05:36.409Z", "dateReserved": "2025-07-01T20:55:18.023Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-01T07:30:04.897Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The kallyas theme for WordPress is vulnerable to Stored Cross-Site Scripting via several of the plugin's shortcodes in all versions up to, and including, 4.23.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-6988", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-01T08:15:32.403", "references": [{"source": "security@wordfence.com", "url": "https://my.hogash.com/changelog_category/kallyas-wordpress-theme/#4-24-0"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/89f4d353-bb6a-4520-bb3e-a0121fb4bf9b?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T01:57:18.525932+00:00", "value": {"mitigation_remediation": ["Upgrade the KALLYAS theme to version 4.24.0 or later, where the XSS issue has been remediated.", "If an upgrade is not immediately possible, disable contributor or higher\u2011level accounts from adding or editing content that uses the vulnerable shortcodes, or revoke those users' permission to edit the affected pages.", "As a temporary measure, apply output filtering or content sanitization to the custom shortcode attributes to escape HTML before rendering."], "summary": {"action": "Apply Patch", "impact": "Stored XSS"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the KALLYAS WordPress theme released by hogash, specifically versions up to and including 4.23.0. WordPress sites that have installed any of these theme versions are at risk. The hit list extends to all customers using the theme on their WordPress installations.", "description_and_impact": "The KALLYAS WordPress theme allows stored cross\u2011site scripting via plugin shortcodes due to insufficient sanitization of user\u2011supplied attributes. An authenticated user with contributor or higher privileges can inject arbitrary JavaScript into pages, which will execute whenever any visitor loads the affected page. This enables attacks such as session hijacking, cookie theft, defacement, or malware delivery targeting site visitors.", "risk_and_exploitability": "The CVSS score of 6.4 categorises the bug as a moderate\u2011severity stored XSS. The EPSS score of less than 1\u202f% suggests that active exploitation has been rare to date, and the vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires an authenticated contributor\u2011level account; the attacker must first submit or edit content containing the malicious shortcode, after which any user who visits the page will have the injected script executed. Because the prerequisite is a legitimate login, this is a moderate\u2011risk threat that can be mitigated by disabling contributor privileges or restricting shortcode usage until the theme is updated."}}}}, "created": "2025-11-03T10:43:38.377210+00:00", "updated": "2026-04-21T02:00:12.315590+00:00", "vendors": ["hogash", "hogash$PRODUCT$kallyas", "wordpress", "wordpress$PRODUCT$wordpress"]}