{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-6989", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-07-01T21:06:01.353Z", "datePublished": "2025-07-26T07:23:51.894Z", "dateUpdated": "2026-04-08T17:11:05.380Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:11:05.380Z"}, "affected": [{"vendor": "hogash", "product": "KALLYAS - Creative eCommerce Multi-Purpose WordPress Theme", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.21.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Kallyas theme for WordPress is vulnerable to arbitrary folder deletion due to insufficient file path validation in the delete_font() function in all versions up to, and including, 4.21.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary folders on the server."}], "title": "Kallyas <= 4.21.0 - Authenticated (Contributor+) Arbitrary Folder Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9a8a3607-4f2e-44fb-8141-75f7620508d4?source=cve"}, {"url": "https://themeforest.net/item/kallyas-responsive-multipurpose-wordpress-theme/4091658"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "cweId": "CWE-22", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Matthew Rollings"}], "timeline": [{"time": "2025-07-25T19:04:17.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-28T15:09:44.322146Z", "id": "CVE-2025-6989", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-28T15:09:57.687Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-6989", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-28T15:09:44.322146Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-28T15:09:51.417Z"}}], "cna": {"title": "Kallyas <= 4.21.0 - Authenticated (Contributor+) Arbitrary Folder Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Matthew Rollings"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"}}], "affected": [{"vendor": "hogash", "product": "KALLYAS - Creative eCommerce Multi-Purpose WordPress Theme", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.21.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-07-25T19:04:17.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9a8a3607-4f2e-44fb-8141-75f7620508d4?source=cve"}, {"url": "https://themeforest.net/item/kallyas-responsive-multipurpose-wordpress-theme/4091658"}], "descriptions": [{"lang": "en", "value": "The Kallyas theme for WordPress is vulnerable to arbitrary folder deletion due to insufficient file path validation in the delete_font() function in all versions up to, and including, 4.21.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary folders on the server."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:11:05.380Z"}}}, "cveMetadata": {"cveId": "CVE-2025-6989", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:11:05.380Z", "dateReserved": "2025-07-01T21:06:01.353Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-07-26T07:23:51.894Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Kallyas theme for WordPress is vulnerable to arbitrary folder deletion due to insufficient file path validation in the delete_font() function in all versions up to, and including, 4.21.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary folders on the server."}, {"lang": "es", "value": "El tema Kallyas para WordPress es vulnerable a la eliminaci\u00f3n arbitraria de carpetas debido a una validaci\u00f3n insuficiente de la ruta de archivo en la funci\u00f3n delete_font() en todas las versiones hasta la 4.21.0 incluida. Esto permite que atacantes autenticados, con acceso de Colaborador o superior, eliminen carpetas arbitrarias en el servidor."}], "id": "CVE-2025-6989", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-07-26T08:15:26.160", "references": [{"source": "security@wordfence.com", "url": "https://themeforest.net/item/kallyas-responsive-multipurpose-wordpress-theme/4091658"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9a8a3607-4f2e-44fb-8141-75f7620508d4?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T03:48:59.567113+00:00", "value": {"mitigation_remediation": ["Update the KALLYAS theme to the latest version (4.22.0 or newer) where the delete_font() path validation has been fixed.", "Immediately review and constrain Contributor and higher roles; revoke or limit any roles that permit access to the font management interface unless strictly necessary.", "If an update cannot be applied immediately, disable the delete_font() functionality or remove the delete_font() endpoint from the theme temporarily so that no path deletion can occur."], "summary": {"action": "Apply Patch", "impact": "Arbitrary Folder Deletion"}, "threat_synthesis": {"affected_systems": "The flaw affects hogash's KALLYAS Creative eCommerce Multi\u2011Purpose WordPress Theme versions up to and including 4.21.0.", "description_and_impact": "The Kallyas WordPress theme contains a flaw in the delete_font() function that allows authenticated users with Contributor-level permissions and higher to delete arbitrary folders on the server. This vulnerability arises from insufficient file path validation, enabling an attacker to specify unrestricted folder paths. The resulting impact is loss of files or directories, potentially compromising website functionality or data integrity.", "risk_and_exploitability": "The CVSS v3 score of 8.1 indicates high severity. The EPSS score is less than 1\u202f%, suggesting low overall exploitation probability, and the vulnerability is not listed in CISA\u2019s KEV catalog. The likely attack vector is an authenticated user with Contributor or higher privileges. Successful exploitation requires the attacker to first authenticate to the WordPress site, after which the delete_font() endpoint can be invoked with a crafted path to remove any folder on the server. Because the attack is authenticated, sites that do not grant Contributor permissions are not exposed, but any site that does is at risk."}}}}, "created": "2025-07-28T12:45:44.855650+00:00", "updated": "2026-04-21T04:00:10.052926+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}