CVE-2025-12895
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-15

Last updated on: 2026-01-15

Assigner: Wordfence

Description
The Kalium 3 | Creative WordPress & WooCommerce Theme theme for WordPress is vulnerable to unauthorized email sending due to a missing capability check on the kalium_vc_contact_form_request() function in all versions up to, and including, 3.29. This makes it possible for unauthenticated attackers to use the theme an an open mail relay and send email to arbitrary email addresses on the server's behalf.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-15
Last Modified
2026-01-15
Generated
2026-06-16
AI Q&A
2026-01-16
EPSS Evaluated
2026-06-15
NVD
CVE-2025-12895
EUVD
EUVD-2026-2816
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
laborator kalium to 3.29 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, you should update the Kalium WordPress theme to a version later than 3.29 where the security fix has been applied. The changelog indicates that security improvements and validation enhancements were made up to version 3.29 to address unauthorized code execution and related vulnerabilities. Ensuring your theme is updated to the latest version will prevent exploitation of the missing capability check in the kalium_vc_contact_form_request() function. [2]

Executive Summary

The Kalium 3 WordPress & WooCommerce theme has a vulnerability in the kalium_vc_contact_form_request() function due to a missing capability check. This allows unauthenticated attackers to exploit the theme as an open mail relay, enabling them to send emails to arbitrary addresses on the server's behalf without authorization.

Impact Analysis

This vulnerability can be exploited by attackers to send unauthorized emails from your server, potentially leading to your server being used for spam or phishing campaigns. This can damage your server's reputation, cause blacklisting by email providers, and increase the risk of further attacks or abuse.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-12895. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart