CVE-2025-6990
Published: 01 November 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2025-6990 is a remote code execution (RCE) vulnerability (CWE-94) in the Kallyas theme for WordPress, affecting all versions up to and including 4.24.0. The flaw exists in the TH_PhpCode pagebuilder widget, which provides a code editor that the theme fails to restrict to administrators, allowing unauthorized access by lower-privileged users.
Authenticated attackers with Contributor-level access or higher can exploit this vulnerability remotely with low complexity and no user interaction required. Exploitation enables arbitrary code execution on the server, granting high impacts to confidentiality, integrity, and availability, as reflected in its CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Advisories with mitigation and patch details are available in the Kallyas theme changelog at https://my.hogash.com/changelog_category/kallyas-wordpress-theme/ and the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/721d29e4-397d-4965-bd64-33bced8e5de4?source=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Authenticated low-privilege (Contributor+) remote code execution via unrestricted PHP code editor in WordPress theme directly enables exploitation of a public-facing application (T1190) and privilege escalation from low privileges to full server compromise (T1068).