CVE-2025-6990
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-01

Last updated on: 2025-11-04

Assigner: Wordfence

Description
The kallyas theme for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.24.0 via the `TH_PhpCode` pagebuilder widget. This is due to the theme not restricting access to the code editor widget for non-administrators. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-01
Last Modified
2025-11-04
Generated
2026-06-16
AI Q&A
2025-11-01
EPSS Evaluated
2026-06-14
NVD
CVE-2025-6990
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
hogash kallyas *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-6990 is a Remote Code Execution vulnerability in the Kallyas WordPress Theme (up to version 4.24.0) caused by the theme not restricting access to the TH_PhpCode pagebuilder widget for non-administrators. This allows authenticated users with Contributor-level access or higher to execute arbitrary code on the server. The issue arises because contributors can access the code editor widget, which should be limited to administrators only. [1]

Impact Analysis

This vulnerability can allow an attacker with Contributor-level access or above to execute arbitrary code on the server hosting the WordPress site. This can lead to full compromise of the server, including data theft, site defacement, installation of malware, or further attacks on the network. The high CVSS score (8.8) indicates a severe impact on confidentiality, integrity, and availability. [1]

Compliance Impact

This vulnerability can negatively impact compliance with standards like GDPR and HIPAA because unauthorized code execution on the server can lead to data breaches, exposing personal or sensitive information. Such breaches violate data protection requirements and can result in legal and financial penalties under these regulations. [1]

Detection Guidance

Detection of CVE-2025-6990 involves checking if the Kallyas WordPress theme version is up to and including 4.24.0 and if the TH_PhpCode pagebuilder widget is accessible to non-administrators. You can audit user roles and permissions in WordPress to see if Contributor-level users have access to the code editor widget. Additionally, reviewing theme files or logs for unauthorized PHP code execution attempts may help. Specific commands are not provided in the resources. [1]

Mitigation Strategies

Immediate mitigation steps include updating the Kallyas WordPress theme to a version later than 4.24.0 where the vulnerability is fixed. The update restricts PHP code element usage exclusively to administrators and implements various security hardening measures. Also, review and adjust user permissions to ensure that only trusted administrators have access to code editing features. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-6990. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart