Attack Vectors

High severity vulnerability (CVSS 8.8) reported as CVE-2025-6990 affects the KALLYAS – Creative eCommerce Multi-Purpose WordPress Theme (slug: kallyas-2) in versions up to and including 4.24.0. The issue enables authenticated Remote Code Execution for users with Contributor-level access or higher.

The primary attack path involves misuse of the theme’s pagebuilder widget TH_PhpCode, where a logged-in attacker can submit code through the widget and cause it to execute on the server. This means the threat can originate from compromised contributor accounts, overly broad user permissions given to agencies or vendors, or any scenario where a low-privilege WordPress account is obtained through credential reuse or phishing.

Security Weakness

The weakness is an access-control failure: the theme does not adequately restrict the code editor widget to administrators only. Because the TH_PhpCode widget can execute server-side code, allowing non-admin roles (Contributor+) to access it creates a direct path from “content creation” permissions to full server-level execution.

In business terms, this turns a common operational practice—granting contributor accounts to internal teams or external partners—into a high-risk exposure. Even if your organization follows good publishing workflows, the mere existence of this widget for non-admin roles can be enough to enable exploitation if an account is abused.

Technical or Business Impacts

If exploited, this vulnerability can enable an attacker to run code on the web server, which can lead to complete compromise of the WordPress site and potentially the hosting environment. Expected outcomes can include data theft, website defacement, installation of backdoors, malicious redirects, and disruption of online operations.

For marketing directors, CEOs, COOs, CFOs, and compliance teams, the business risks include brand damage (malicious content or redirects), lead and customer trust erosion, downtime during incident response, and potential exposure of sensitive data. If the site supports eCommerce or captures customer information, the event can also trigger regulatory reporting obligations, contractual notifications, and unplanned costs for forensics, legal review, and remediation.

Status and remediation: there is no known patch available per the referenced report. Organizations should assess risk tolerance and consider mitigations such as limiting or removing access to the affected functionality, tightening user roles, and, where feasible, uninstalling the affected theme and replacing it. For additional details, see the source advisory: Wordfence vulnerability record.

Similar Attacks

Authenticated or low-privilege pathways are frequently used in real-world WordPress incidents when attackers can turn a “publisher-level” account into deeper control. Examples of related WordPress security events include the long-running File Manager plugin vulnerability and the widely discussed Elementor Pro vulnerability disclosure, both of which heightened awareness around plugin/theme exposure and the importance of rapid mitigation.