CVE-2025-6990
BaseFortify
Publication date: 2025-11-01
Last updated on: 2025-11-04
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hogash | kallyas | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-6990 is a Remote Code Execution vulnerability in the Kallyas WordPress Theme (up to version 4.24.0) caused by the theme not restricting access to the TH_PhpCode pagebuilder widget for non-administrators. This allows authenticated users with Contributor-level access or higher to execute arbitrary code on the server. The issue arises because contributors can access the code editor widget, which should be limited to administrators only. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker with Contributor-level access or above to execute arbitrary code on the server hosting the WordPress site. This can lead to full compromise of the server, including data theft, site defacement, installation of malware, or further attacks on the network. The high CVSS score (8.8) indicates a severe impact on confidentiality, integrity, and availability. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability can negatively impact compliance with standards like GDPR and HIPAA because unauthorized code execution on the server can lead to data breaches, exposing personal or sensitive information. Such breaches violate data protection requirements and can result in legal and financial penalties under these regulations. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of CVE-2025-6990 involves checking if the Kallyas WordPress theme version is up to and including 4.24.0 and if the TH_PhpCode pagebuilder widget is accessible to non-administrators. You can audit user roles and permissions in WordPress to see if Contributor-level users have access to the code editor widget. Additionally, reviewing theme files or logs for unauthorized PHP code execution attempts may help. Specific commands are not provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Kallyas WordPress theme to a version later than 4.24.0 where the vulnerability is fixed. The update restricts PHP code element usage exclusively to administrators and implements various security hardening measures. Also, review and adjust user permissions to ensure that only trusted administrators have access to code editing features. [1]