Platform
wordpress
Component
kallyas
Fixed in
4.21.1
CVE-2025-6989 is a high-severity vulnerability affecting the KALLYAS WordPress theme, specifically versions from 0.0.0 through 4.21.0. This vulnerability allows authenticated attackers, with Contributor-level access or higher, to delete arbitrary folders on the server. The root cause lies in insufficient file path validation within the delete_font() function. A fix is available in newer versions of the theme.
The impact of this vulnerability is significant. An attacker who can authenticate to the WordPress site with a Contributor-level account or higher can leverage this flaw to delete critical files and directories on the server. This could lead to complete site compromise, data loss, and potentially even impact other applications hosted on the same server. The ability to delete arbitrary folders grants a high degree of control over the server's file system, enabling attackers to disrupt operations, steal sensitive data, or install malicious code. While requiring authentication, the relatively low privilege needed (Contributor) expands the potential attack surface.
This vulnerability is currently public. While no active exploitation campaigns have been confirmed, the availability of a relatively simple attack vector increases the risk of exploitation. The vulnerability has been added to the CISA KEV catalog, indicating a potential for widespread exploitation. Public proof-of-concept code is likely to emerge, further increasing the risk.
Exploit Status
EPSS
0.09% (26% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to a patched version of the KALLYAS theme. Consult the theme developer's website for the latest version. If immediate upgrading is not possible due to compatibility issues or breaking changes, consider implementing stricter file access controls on the server. This could involve restricting write permissions to the WordPress installation directory and its subdirectories. Additionally, review and harden WordPress user roles to minimize the privileges granted to contributors. Regularly scan the WordPress installation for unauthorized files and directories.
Actualice el tema Kallyas a la última versión disponible para solucionar la vulnerabilidad de eliminación arbitraria de carpetas. Asegúrese de realizar una copia de seguridad completa de su sitio web antes de actualizar el tema. Verifique que los permisos de los archivos y carpetas sean los correctos para evitar accesos no autorizados.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-6989 is a high-severity vulnerability in the KALLYAS WordPress theme allowing authenticated users to delete server folders due to flawed file path validation.
If you are using the KALLYAS WordPress theme version 0.0.0 through 4.21.0, you are potentially affected. Check your theme version and upgrade immediately.
Upgrade to the latest version of the KALLYAS theme. Consult the theme developer's website for the latest release and instructions.
While no active exploitation campaigns have been confirmed, the vulnerability is public and poses a significant risk. Monitor your systems for suspicious activity.
Refer to the KALLYAS theme developer's website or WordPress plugin repository for the official advisory and patch information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.