MEDIUMCVE-2025-63060CVSS 4.3

WordPress KALLYAS 主题 < 4.25.0 - 跨站请求伪造 (CSRF) 漏洞

Q: What is CVE-2025-63060 — CSRF in KALLYAS WordPress Theme?

CVE-2025-63060 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the KALLYAS WordPress theme, allowing attackers to perform unauthorized actions.

Q: Am I affected by CVE-2025-63060 in KALLYAS WordPress Theme?

You are affected if you are using the KALLYAS WordPress theme in versions 0.0.0 through 4.25.0. Upgrade to 4.25.0 or later to mitigate the risk.

Q: How do I fix CVE-2025-63060 in KALLYAS WordPress Theme?

Upgrade the KALLYAS WordPress theme to version 4.25.0 or later. Consider implementing CSP headers and server-side CSRF tokens as additional security measures.

Q: Is CVE-2025-63060 being actively exploited?

There is no confirmed active exploitation of CVE-2025-63060 at this time, but the vulnerability's nature and the popularity of the theme suggest a potential risk.

Q: Where can I find the official KALLYAS advisory for CVE-2025-63060?

Refer to the KALLYAS theme developer's website or WordPress plugin repository for the official advisory and update information.

平台

wordpress

组件

kallyas

修复版本

4.25.1

AI Confidence: highNVDEPSS 0.0%已审阅: 2026年5月

在NVD查看

保存

正在翻译为您的语言…

A Cross-Site Request Forgery (CSRF) vulnerability exists in the KALLYAS WordPress theme, potentially allowing attackers to execute unauthorized actions on behalf of authenticated users. This vulnerability affects versions from 0.0.0 through 4.25.0. The issue has been resolved in version 4.25.0, and users are strongly advised to upgrade.

WordPress

检测此 CVE 是否影响你的项目

上传你的依赖文件，立即了解此CVE和其他CVE是否影响你。

免费扫描

影响与攻击场景翻译中…

This CSRF vulnerability allows an attacker to trick a legitimate user into performing actions they did not intend to. For example, an attacker could craft a malicious link that, when clicked by an authenticated user, modifies theme settings, adds or deletes pages, or performs other administrative tasks. The blast radius is limited to the user's privileges within the WordPress site; however, if the user has administrative access, the impact can be significant, potentially leading to complete site compromise. Successful exploitation requires the user to be logged in and interact with the malicious link.

利用背景翻译中…

This vulnerability was publicly disclosed on 2025-12-09. No public proof-of-concept (POC) code has been identified at the time of writing. The vulnerability's CVSS score of 4.3 (MEDIUM) suggests a moderate probability of exploitation, particularly given the widespread use of WordPress and themes like KALLYAS. It is not currently listed on the CISA KEV catalog.

哪些人处于风险中翻译中…

Websites using the KALLYAS WordPress theme, particularly those running versions 0.0.0 through 4.25.0, are at risk. Shared hosting environments where users have limited control over theme updates are especially vulnerable. Sites with administrative users who frequently click on links from untrusted sources are also at higher risk.

检测步骤翻译中…

• wordpress / composer / npm:

grep -r 'kallyas_theme_options' /var/www/html/*

• wordpress / composer / npm:

wp plugin list | grep kallyas

• wordpress / composer / npm:

wp plugin update kallyas

攻击时间线

2025-12-09Disclosure
disclosure

威胁情报

漏洞利用状态

概念验证未知

CISA KEVNO

互联网暴露高

EPSS

0.02% (5% 百分位)

CISA SSVC

利用情况none

可自动化no

技术影响partial

CVSS 向量

这些指标意味着什么？

Attack Vector: 网络 — 可通过互联网远程利用，无需物理或本地访问。攻击面最大。
Attack Complexity: 低 — 无需特殊条件，可以稳定地利用漏洞。
Privileges Required: 无 — 无需认证，无需凭证即可利用。
User Interaction: 需要 — 受害者必须打开文件、点击链接或访问特制页面。
Scope: 未改变 — 影响仅限于脆弱组件本身。
Confidentiality: 无 — 无机密性影响。
Integrity: 低 — 攻击者可修改部分数据，影响有限。
Availability: 无 — 无可用性影响。

受影响的软件

组件kallyas

供应商wordfence

影响范围修复版本

0 – 4.25.04.25.1

弱点分类 (CWE)

CWE-352

时间线

已保留2025-10-24
发布日期2025-12-09
修改日期2026-04-28
EPSS 更新日期2026-03-23

缓解措施和替代方案翻译中…

The primary mitigation is to upgrade the KALLYAS WordPress theme to version 4.25.0 or later. If immediate upgrading is not possible due to compatibility issues or breaking changes, consider implementing strict Content Security Policy (CSP) headers to restrict the origin of scripts and resources. Additionally, implement server-side CSRF tokens for sensitive actions within the theme. While not a direct fix, these measures can reduce the attack surface. After upgrading, verify the theme's functionality and ensure no unexpected behavior arises.

修复方法

目前没有已知的补丁。请深入审查该漏洞的详细信息，并根据您组织的风险承受能力采取缓解措施。最好卸载受影响的软件并寻找替代方案。

CVE 安全通讯

漏洞分析和关键警报直接发送到您的邮箱。

常见问题翻译中…

What is CVE-2025-63060 — CSRF in KALLYAS WordPress Theme?

CVE-2025-63060 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the KALLYAS WordPress theme, allowing attackers to perform unauthorized actions.

Am I affected by CVE-2025-63060 in KALLYAS WordPress Theme?

You are affected if you are using the KALLYAS WordPress theme in versions 0.0.0 through 4.25.0. Upgrade to 4.25.0 or later to mitigate the risk.

How do I fix CVE-2025-63060 in KALLYAS WordPress Theme?

Upgrade the KALLYAS WordPress theme to version 4.25.0 or later. Consider implementing CSP headers and server-side CSRF tokens as additional security measures.

Is CVE-2025-63060 being actively exploited?

There is no confirmed active exploitation of CVE-2025-63060 at this time, but the vulnerability's nature and the popularity of the theme suggest a potential risk.

Where can I find the official KALLYAS advisory for CVE-2025-63060?

Refer to the KALLYAS theme developer's website or WordPress plugin repository for the official advisory and update information.

你的项目受影响吗?

上传你的依赖文件，立即了解此CVE和其他CVE是否影响你。

免费扫描搜索 CVE