{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-6990", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-07-01T21:10:09.036Z", "datePublished": "2025-11-01T07:30:03.218Z", "dateUpdated": "2026-04-08T17:00:41.322Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:00:41.322Z"}, "affected": [{"vendor": "hogash", "product": "KALLYAS - Creative eCommerce Multi-Purpose WordPress Theme", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.24.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The kallyas theme for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.24.0 via the `TH_PhpCode` pagebuilder widget. This is due to the theme not restricting access to the code editor widget for non-administrators. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server."}], "title": "Kallyas <= 4.24.0 - Authenticated (Contributor+) Remote Code Execution", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/721d29e4-397d-4965-bd64-33bced8e5de4?source=cve"}, {"url": "https://my.hogash.com/changelog_category/kallyas-wordpress-theme/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "cweId": "CWE-94", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Matthew Rollings"}], "timeline": [{"time": "2026-02-12T20:10:06.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-10-31T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-03T13:22:08.024137Z", "id": "CVE-2025-6990", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-03T13:30:17.631Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-6990", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-11-03T13:22:08.024137Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-03T13:22:08.793Z"}}], "cna": {"title": "Kallyas <= 4.24.0 - Authenticated (Contributor+) Remote Code Execution", "credits": [{"lang": "en", "type": "finder", "value": "Matthew Rollings"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "hogash", "product": "KALLYAS - Creative eCommerce Multi-Purpose WordPress Theme", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.24.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-12T20:10:06.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-10-31T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/721d29e4-397d-4965-bd64-33bced8e5de4?source=cve"}, {"url": "https://my.hogash.com/changelog_category/kallyas-wordpress-theme/"}], "descriptions": [{"lang": "en", "value": "The kallyas theme for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.24.0 via the `TH_PhpCode` pagebuilder widget. This is due to the theme not restricting access to the code editor widget for non-administrators. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:00:41.322Z"}}}, "cveMetadata": {"cveId": "CVE-2025-6990", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:00:41.322Z", "dateReserved": "2025-07-01T21:10:09.036Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-01T07:30:03.218Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The kallyas theme for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.24.0 via the `TH_PhpCode` pagebuilder widget. This is due to the theme not restricting access to the code editor widget for non-administrators. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server."}], "id": "CVE-2025-6990", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-01T08:15:32.600", "references": [{"source": "security@wordfence.com", "url": "https://my.hogash.com/changelog_category/kallyas-wordpress-theme/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/721d29e4-397d-4965-bd64-33bced8e5de4?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T01:57:34.312736+00:00", "value": {"mitigation_remediation": ["Update the KALLYAS theme to any version newer than 4.24.0, which removes or restricts the TH_PhpCode widget;", "If an immediate upgrade is not possible, disable the TH_PhpCode widget for all non\u2011administrator users by editing the theme files or using a plugin that blocks access to the widget;", "Revoke Contributor or higher privileges from users who do not require them, limiting the number of accounts that can exploit the vulnerability."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "All released versions of the hogash KALLYAS Creative eCommerce Multi\u2011Purpose WordPress Theme up to and including version 4.24.0 are affected. Users running any of these versions are vulnerable; only versions above 4.24.0 without the TH_PhpCode widget or with restricted privileges are safe.", "description_and_impact": "The vulnerability exists in the TH_PhpCode pagebuilder widget of the Kallyas WordPress theme. Due to the theme not restricting access to this code editor widget for users who are not administrators, an authenticated attacker with Contributor\u2011level privileges or higher can insert and execute arbitrary PHP code on the web server. This grants the attacker full control over the server, allowing data exfiltration, lateral movement, and complete site takeover. The weakness is identified as an unsafe code injection (CWE\u201194).", "risk_and_exploitability": "The CVSS score of 8.8 classifies the vulnerability as critical, yet the EPSS score of less than 1% indicates a low probability of exploitation. Because the flaw requires authenticated access at the Contributor level, attackers must either compromise credentials or abuse existing legitimate accounts. The vulnerability is not listed in the CISA KEV catalog, but its ability to execute code remotely poses a severe threat if exploited."}}}}, "created": "2025-11-03T10:43:36.544810+00:00", "updated": "2026-04-21T02:00:12.316684+00:00", "vendors": ["hogash", "hogash$PRODUCT$kallyas", "wordpress", "wordpress$PRODUCT$wordpress"]}