Plateforme
wordpress
Composant
kalium
Corrigé dans
3.25.1
CVE-2025-49926 identifies a Code Injection vulnerability within the Laborator Kalium WordPress plugin. This flaw allows attackers to inject malicious code, potentially gaining unauthorized access and control over affected websites. The vulnerability impacts versions from 0.0.0 up to and including 3.25, and a patch is available in version 3.25.1.
The Code Injection vulnerability in Kalium allows an attacker to execute arbitrary code on the server hosting the WordPress site. This could lead to a complete compromise of the website, including data theft, defacement, and the installation of malware. Attackers could potentially gain access to sensitive user data, including login credentials and personal information. Given Kalium's popularity, a successful exploitation could affect a large number of websites. The impact is similar to other code injection vulnerabilities where attackers can bypass security controls and execute commands with the privileges of the web server process.
CVE-2025-49926 was published on 2025-10-22. Currently, there is no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept (PoC) code has been released. The vulnerability is not listed on the CISA KEV catalog at this time.
Websites using the Kalium WordPress plugin, particularly those running older versions (0.0.0–3.25), are at risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r "kalium" /var/www/html/wp-content/plugins/• wordpress / composer / npm:
wp plugin list | grep kalium• wordpress / composer / npm:
curl -I https://your-wordpress-site.com/wp-content/plugins/kalium/readme.txt | grep Versiondisclosure
Statut de l'Exploit
EPSS
0.08% (percentile 23%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-49926 is to immediately upgrade the Kalium plugin to version 3.25.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. Web application firewalls (WAFs) configured with rules to detect and block code injection attempts can provide an additional layer of protection. Review and harden WordPress security practices, including strong passwords and regular security audits.
Actualice el tema Kalium a la última versión disponible para solucionar la vulnerabilidad de inyección de código. Verifique la página de Themeforest o el repositorio del tema para obtener la versión más reciente y las instrucciones de actualización. Asegúrese de realizar una copia de seguridad completa de su sitio web antes de actualizar cualquier tema.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-49926 is a Code Injection vulnerability affecting the Laborator Kalium WordPress plugin, allowing attackers to execute arbitrary code. It impacts versions 0.0.0–3.25 and has a CVSS score of 7.2 (HIGH).
You are affected if you are using the Kalium WordPress plugin in versions 0.0.0 through 3.25. Check your plugin version and upgrade immediately if necessary.
Upgrade the Kalium plugin to version 3.25.1 or later to resolve the vulnerability. If upgrading is not possible, temporarily disable the plugin.
As of now, there is no evidence of active exploitation campaigns targeting CVE-2025-49926, but it's crucial to apply the patch promptly.
Refer to the Laborator Kalium plugin updates page and WordPress plugin repository for the latest information and advisory regarding CVE-2025-49926.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.