Description
Cross-Site Request Forgery (CSRF) vulnerability in hogash KALLYAS kallyas allows Cross Site Request Forgery.This issue affects KALLYAS: from n/a through < 4.25.0.
Published: 2025-12-09
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is a Cross‑Site Request Forgery vulnerability in the hogash KALLYAS theme that permits an attacker to cause authorized users to submit requests to the WordPress site without their consent. The description does not specify the exact actions that can be triggered, but the vulnerability allows forged requests to be sent from the victim’s browser to the site.

Affected Systems

Any WordPress installation using the KALLYAS theme with a version earlier than 4.25.0 is potentially vulnerable. The vulnerability applies to all releases listed as "from n/a through < 4.25.0."

Risk and Exploitability

The defect has a CVSS score of 4.3, placing it in the medium severity range, and an EPSS score of less than 1 %, indicating a low exploitation likelihood in the current threat landscape. It is not listed in CISA’s KEV catalog. Attackers would need a user who is authenticated to the site to be tricked into visiting a malicious page that then submits the forged request, resulting in unintended actions performed by that user.

Generated by OpenCVE AI on April 29, 2026 at 22:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the KALLYAS theme to version 4.25.0 or later to eliminate the vulnerability.
  • If an upgrade is not feasible, deactivate or replace the KALLYAS theme with a secure alternative.
  • Implement CSRF protection mechanisms (e.g., ensure all state‑changing requests require a valid nonce or token) or use a security plugin that enforces such checks for WordPress sites.

Generated by OpenCVE AI on April 29, 2026 at 22:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in hogash Kallyas kallyas.This issue affects Kallyas: from n/a through <= 4.2. Cross-Site Request Forgery (CSRF) vulnerability in hogash KALLYAS kallyas allows Cross Site Request Forgery.This issue affects KALLYAS: from n/a through < 4.25.0.
Title WordPress Kallyas theme <= 4.2 - Cross Site Request Forgery (CSRF) vulnerability WordPress KALLYAS theme < 4.25.0 - Cross Site Request Forgery (CSRF) vulnerability

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Wed, 10 Dec 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Hogash
Hogash kallyas
Wordpress
Wordpress wordpress
Vendors & Products Hogash
Hogash kallyas
Wordpress
Wordpress wordpress

Tue, 09 Dec 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Dec 2025 15:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in hogash Kallyas kallyas.This issue affects Kallyas: from n/a through <= 4.2.
Title WordPress Kallyas theme <= 4.2 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References

Subscriptions

Hogash Kallyas
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:09.719Z

Reserved: 2025-10-24T14:26:38.885Z

Link: CVE-2025-63060

cve-icon Vulnrichment

Updated: 2025-12-09T16:42:05.212Z

cve-icon NVD

Status : Deferred

Published: 2025-12-09T16:18:11.503

Modified: 2026-04-27T19:16:20.237

Link: CVE-2025-63060

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T22:45:06Z

Weaknesses