WordPress Kalium theme <= 3.25 - Arbitrary Code Execution vulnerability
Plattform
wordpress
Komponente
kalium
Behoben in
3.25.1
CVE-2025-49926 identifies a Code Injection vulnerability within the Laborator Kalium WordPress plugin. This flaw allows attackers to inject malicious code, potentially gaining unauthorized access and control over affected websites. The vulnerability impacts versions from 0.0.0 up to and including 3.25, and a patch is available in version 3.25.1.
Erkenne diese CVE in deinem Projekt
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Auswirkungen und Angriffsszenarienwird übersetzt…
The Code Injection vulnerability in Kalium allows an attacker to execute arbitrary code on the server hosting the WordPress site. This could lead to a complete compromise of the website, including data theft, defacement, and the installation of malware. Attackers could potentially gain access to sensitive user data, including login credentials and personal information. Given Kalium's popularity, a successful exploitation could affect a large number of websites. The impact is similar to other code injection vulnerabilities where attackers can bypass security controls and execute commands with the privileges of the web server process.
Ausnutzungskontextwird übersetzt…
CVE-2025-49926 was published on 2025-10-22. Currently, there is no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept (PoC) code has been released. The vulnerability is not listed on the CISA KEV catalog at this time.
Wer Ist Gefährdetwird übersetzt…
Websites using the Kalium WordPress plugin, particularly those running older versions (0.0.0–3.25), are at risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise of one site could potentially lead to the compromise of others.
Erkennungsschrittewird übersetzt…
• wordpress / composer / npm:
grep -r "kalium" /var/www/html/wp-content/plugins/• wordpress / composer / npm:
wp plugin list | grep kalium• wordpress / composer / npm:
curl -I https://your-wordpress-site.com/wp-content/plugins/kalium/readme.txt | grep VersionAngriffszeitlinie
- Disclosure
disclosure
Bedrohungsanalyse
Exploit-Status
EPSS
0.08% (23% Perzentil)
CISA SSVC
CVSS-Vektor
Was bedeuten diese Metriken?
- Attack Vector
- Netzwerk — aus der Ferne über das Internet ausnutzbar. Kein physischer oder lokaler Zugriff erforderlich.
- Attack Complexity
- Niedrig — keine besonderen Bedingungen erforderlich. Zuverlässig ausnutzbar.
- Privileges Required
- Keine — ohne Authentifizierung ausnutzbar. Keine Zugangsdaten erforderlich.
- User Interaction
- Keine — automatischer und lautloser Angriff. Das Opfer tut nichts.
- Scope
- Geändert — Angriff kann über die anfällige Komponente hinaus auf andere Systeme übergreifen.
- Confidentiality
- Niedrig — partieller oder indirekter Zugriff auf einige Daten.
- Integrity
- Niedrig — Angreifer kann einige Daten mit begrenztem Umfang ändern.
- Availability
- Keine — kein Verfügbarkeitseinfluss.
Betroffene Software
Schwachstellen-Klassifikation (CWE)
Zeitleiste
- Reserviert
- Veröffentlicht
- Geändert
- EPSS aktualisiert
Mitigation und Workaroundswird übersetzt…
The primary mitigation for CVE-2025-49926 is to immediately upgrade the Kalium plugin to version 3.25.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. Web application firewalls (WAFs) configured with rules to detect and block code injection attempts can provide an additional layer of protection. Review and harden WordPress security practices, including strong passwords and regular security audits.
So behebenwird übersetzt…
Actualice el tema Kalium a la última versión disponible para solucionar la vulnerabilidad de inyección de código. Verifique la página de Themeforest o el repositorio del tema para obtener la versión más reciente y las instrucciones de actualización. Asegúrese de realizar una copia de seguridad completa de su sitio web antes de actualizar cualquier tema.
CVE-Sicherheitsnewsletter
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
Häufig gestellte Fragenwird übersetzt…
What is CVE-2025-49926 — Code Injection in Kalium WordPress Plugin?
CVE-2025-49926 is a Code Injection vulnerability affecting the Laborator Kalium WordPress plugin, allowing attackers to execute arbitrary code. It impacts versions 0.0.0–3.25 and has a CVSS score of 7.2 (HIGH).
Am I affected by CVE-2025-49926 in Kalium WordPress Plugin?
You are affected if you are using the Kalium WordPress plugin in versions 0.0.0 through 3.25. Check your plugin version and upgrade immediately if necessary.
How do I fix CVE-2025-49926 in Kalium WordPress Plugin?
Upgrade the Kalium plugin to version 3.25.1 or later to resolve the vulnerability. If upgrading is not possible, temporarily disable the plugin.
Is CVE-2025-49926 being actively exploited?
As of now, there is no evidence of active exploitation campaigns targeting CVE-2025-49926, but it's crucial to apply the patch promptly.
Where can I find the official Laborator advisory for CVE-2025-49926?
Refer to the Laborator Kalium plugin updates page and WordPress plugin repository for the latest information and advisory regarding CVE-2025-49926.
Ist dein Projekt betroffen?
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.