CVE-2025-6990 - Vulnerability Details

- Kallyas <= 4.24.0 - Authenticated (Contributor+) Remote Code Execution

Description

The kallyas theme for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.24.0 via the `TH_PhpCode` pagebuilder widget. This is due to the theme not restricting access to the code editor widget for non-administrators. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.

Published: 2025-11-01

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability exists in the TH_PhpCode pagebuilder widget of the Kallyas WordPress theme. Due to the theme not restricting access to this code editor widget for users who are not administrators, an authenticated attacker with Contributor‑level privileges or higher can insert and execute arbitrary PHP code on the web server. This grants the attacker full control over the server, allowing data exfiltration, lateral movement, and complete site takeover. The weakness is identified as an unsafe code injection (CWE‑94).

Affected Systems

All released versions of the hogash KALLYAS Creative eCommerce Multi‑Purpose WordPress Theme up to and including version 4.24.0 are affected. Users running any of these versions are vulnerable; only versions above 4.24.0 without the TH_PhpCode widget or with restricted privileges are safe.

Risk and Exploitability

The CVSS score of 8.8 classifies the vulnerability as critical, yet the EPSS score of less than 1% indicates a low probability of exploitation. Because the flaw requires authenticated access at the Contributor level, attackers must either compromise credentials or abuse existing legitimate accounts. The vulnerability is not listed in the CISA KEV catalog, but its ability to execute code remotely poses a severe threat if exploited.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

hogash

KALLYAS - Creative eCommerce Multi-Purpose WordPress Theme

unaffected

Version	Status	Constraints
`0`	affected	≤ 4.24.0

No data.

Vendor	Product	Confidence	Versions
Hogash	Kallyas	—	—
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the KALLYAS theme to any version newer than 4.24.0, which removes or restricts the TH_PhpCode widget;
If an immediate upgrade is not possible, disable the TH_PhpCode widget for all non‑administrator users by editing the theme files or using a plugin that blocks access to the widget;
Revoke Contributor or higher privileges from users who do not require them, limiting the number of accounts that can exploit the vulnerability.

Generated by OpenCVE AI on April 21, 2026 at 01:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00302.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://my.hogash.com/changelog_category/kallyas-wordpress-theme/
https://www.wordfence.com/threat-intel/vulnerabilities/id/721d29e4-397d-4965-bd64-33bced8e5de4?source=cve

History

Mon, 03 Nov 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 03 Nov 2025 10:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Hogash Hogash kallyas Wordpress Wordpress wordpress
Vendors & Products		Hogash Hogash kallyas Wordpress Wordpress wordpress

Sat, 01 Nov 2025 07:45:00 +0000

Type	Values Removed	Values Added
Description		The kallyas theme for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.24.0 via the `TH_PhpCode` pagebuilder widget. This is due to the theme not restricting access to the code editor widget for non-administrators. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.
Title		Kallyas <= 4.24.0 - Authenticated (Contributor+) Remote Code Execution
Weaknesses		CWE-94
References		https://my.hogash.com/changelog_category/kallyas-wordpress-theme/ https://www.wordfence.com/threat-intel/vulnerabilities/id/721d29e4-397d-4965-bd64-33bced8e5de4?source=cve
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Hogash Kallyas

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-11-01T07:30:03.218Z

Updated: 2026-04-08T17:00:41.322Z

Reserved: 2025-07-01T21:10:09.036Z

Link: CVE-2025-6990

Vulnrichment

Updated: 2025-11-03T13:22:08.793Z

NVD

Status : Deferred

Published: 2025-11-01T08:15:32.600

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-6990

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-21T02:00:12Z

Weaknesses

CWE-94

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object