Description
The Kalium 3 | Creative WordPress & WooCommerce Theme theme for WordPress is vulnerable to unauthorized email sending due to a missing capability check on the kalium_vc_contact_form_request() function in all versions up to, and including, 3.29. This makes it possible for unauthenticated attackers to use the theme an an open mail relay and send email to arbitrary email addresses on the server's behalf.
Published: 2026-01-15
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Email Relay
Action: Patch Urgently
AI Analysis

Impact

The Kalium 3 Creative WordPress & WooCommerce Theme contains a missing capability check within the kalium_vc_contact_form_request function. Unauthenticated users can trigger this endpoint and cause the server to send e‑mail to any address they provide. As a result, attackers can use the site as an open mail relay to distribute spam, phishing messages, or otherwise abuse the site’s mail transport for malicious purposes. Because the vulnerability relies on a simple HTTP request, no authentication is required, and the consequences apply to all users of the affected theme.

Affected Systems

All installations of the Kalium 3 Creative WordPress & WooCommerce Theme running version 3.29 or earlier are vulnerable. The issue affects the theme component of WordPress sites that have not applied any patch or upgrade. The vulnerability is linked to the Kalium theme released by Laborator and broadly used on WordPress and WooCommerce sites. No specific WordPress core version is required for exploitation; the defect resides purely in the theme's PHP code.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium impact, while the EPSS score of less than 1% signals a low likelihood of being targeted in the near term. The vulnerability is not currently listed in the CISA KEV catalog. Attackers would likely target the standard contact form or a custom endpoint that forwards the request to the backend. Because the flaw is purely a missing authorization check, the exploitation path is straightforward: an unauthenticated HTTP request to the kalium_vc_contact_form_request route with a crafted recipient address. If exploited, an attacker can send email to arbitrary addresses without the server owner’s knowledge.

Generated by OpenCVE AI on April 22, 2026 at 15:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Kalium theme to the latest stable release (3.30 or newer) that includes the missing capability check.
  • Temporarily disable the kalium_vc_contact_form_request functionality or remove the contact form from the site until an official patch is applied.
  • Restrict outgoing email by configuring WordPress to use a dedicated SMTP gateway that validates recipient domains, or install a plugin that limits SMTP recipients to a whitelist.
  • Review theme files for unauthorized modifications and apply regular security audits to detect similar authorization gaps.

Generated by OpenCVE AI on April 22, 2026 at 15:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 16 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Laborator
Laborator kalium
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Laborator
Laborator kalium
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress

Thu, 15 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 15 Jan 2026 13:45:00 +0000

Type Values Removed Values Added
Description The Kalium 3 | Creative WordPress & WooCommerce Theme theme for WordPress is vulnerable to unauthorized email sending due to a missing capability check on the kalium_vc_contact_form_request() function in all versions up to, and including, 3.29. This makes it possible for unauthenticated attackers to use the theme an an open mail relay and send email to arbitrary email addresses on the server's behalf.
Title Kalium <= 3.29 - Missing Authorization to Unauthenticated Mail Relay via kalium_vc_contact_form_request
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Laborator Kalium
Woocommerce Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:35:28.436Z

Reserved: 2025-11-07T18:51:08.718Z

Link: CVE-2025-12895

cve-icon Vulnrichment

Updated: 2026-01-15T15:35:45.985Z

cve-icon NVD

Status : Deferred

Published: 2026-01-15T14:16:25.540

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12895

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T15:45:20Z

Weaknesses