WordPress Kalium theme <= 3.25 - Willekeurige Code Uitvoering kwetsbaarheid
Platform
wordpress
Component
kalium
Opgelost in
3.25.1
CVE-2025-49926 identifies a Code Injection vulnerability within the Laborator Kalium WordPress plugin. This flaw allows attackers to inject malicious code, potentially gaining unauthorized access and control over affected websites. The vulnerability impacts versions from 0.0.0 up to and including 3.25, and a patch is available in version 3.25.1.
Detecteer deze CVE in je project
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Impact en Aanvalsscenarioswordt vertaald…
The Code Injection vulnerability in Kalium allows an attacker to execute arbitrary code on the server hosting the WordPress site. This could lead to a complete compromise of the website, including data theft, defacement, and the installation of malware. Attackers could potentially gain access to sensitive user data, including login credentials and personal information. Given Kalium's popularity, a successful exploitation could affect a large number of websites. The impact is similar to other code injection vulnerabilities where attackers can bypass security controls and execute commands with the privileges of the web server process.
Uitbuitingscontextwordt vertaald…
CVE-2025-49926 was published on 2025-10-22. Currently, there is no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept (PoC) code has been released. The vulnerability is not listed on the CISA KEV catalog at this time.
Wie Loopt Risicowordt vertaald…
Websites using the Kalium WordPress plugin, particularly those running older versions (0.0.0–3.25), are at risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise of one site could potentially lead to the compromise of others.
Detectiestappenwordt vertaald…
• wordpress / composer / npm:
grep -r "kalium" /var/www/html/wp-content/plugins/• wordpress / composer / npm:
wp plugin list | grep kalium• wordpress / composer / npm:
curl -I https://your-wordpress-site.com/wp-content/plugins/kalium/readme.txt | grep VersionAanvalstijdlijn
- Disclosure
disclosure
Dreigingsinformatie
Exploit Status
EPSS
0.08% (23% percentiel)
CISA SSVC
CVSS-vector
Wat betekenen deze metrics?
- Attack Vector
- Netwerk — op afstand uitbuitbaar via internet. Geen fysieke of lokale toegang vereist.
- Attack Complexity
- Laag — geen speciale voorwaarden vereist. Betrouwbaar uitbuitbaar.
- Privileges Required
- Geen — geen authenticatie vereist om te exploiteren.
- User Interaction
- Geen — automatische en stille aanval. Slachtoffer doet niets.
- Scope
- Gewijzigd — aanval kan voorbij het kwetsbare component uitbreiden naar andere systemen.
- Confidentiality
- Laag — gedeeltelijke toegang tot enkele gegevens.
- Integrity
- Laag — aanvaller kan enkele gegevens met beperkte omvang aanpassen.
- Availability
- Geen — geen beschikbaarheidsimpact.
Getroffen Software
Zwakheidsclassificatie (CWE)
Tijdlijn
- Gereserveerd
- Gepubliceerd
- Gewijzigd
- EPSS bijgewerkt
Mitigatie en Workaroundswordt vertaald…
The primary mitigation for CVE-2025-49926 is to immediately upgrade the Kalium plugin to version 3.25.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. Web application firewalls (WAFs) configured with rules to detect and block code injection attempts can provide an additional layer of protection. Review and harden WordPress security practices, including strong passwords and regular security audits.
Hoe te verhelpenwordt vertaald…
Actualice el tema Kalium a la última versión disponible para solucionar la vulnerabilidad de inyección de código. Verifique la página de Themeforest o el repositorio del tema para obtener la versión más reciente y las instrucciones de actualización. Asegúrese de realizar una copia de seguridad completa de su sitio web antes de actualizar cualquier tema.
CVE Beveiligingsnieuwsbrief
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
Veelgestelde vragenwordt vertaald…
What is CVE-2025-49926 — Code Injection in Kalium WordPress Plugin?
CVE-2025-49926 is a Code Injection vulnerability affecting the Laborator Kalium WordPress plugin, allowing attackers to execute arbitrary code. It impacts versions 0.0.0–3.25 and has a CVSS score of 7.2 (HIGH).
Am I affected by CVE-2025-49926 in Kalium WordPress Plugin?
You are affected if you are using the Kalium WordPress plugin in versions 0.0.0 through 3.25. Check your plugin version and upgrade immediately if necessary.
How do I fix CVE-2025-49926 in Kalium WordPress Plugin?
Upgrade the Kalium plugin to version 3.25.1 or later to resolve the vulnerability. If upgrading is not possible, temporarily disable the plugin.
Is CVE-2025-49926 being actively exploited?
As of now, there is no evidence of active exploitation campaigns targeting CVE-2025-49926, but it's crucial to apply the patch promptly.
Where can I find the official Laborator advisory for CVE-2025-49926?
Refer to the Laborator Kalium plugin updates page and WordPress plugin repository for the latest information and advisory regarding CVE-2025-49926.
Is jouw project getroffen?
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.