Skip to main content
CVE Vulnerability Database

CVE-2025-6989: Kallyas WordPress Path Traversal Flaw

CVE-2025-6989 is a path traversal vulnerability in the Kallyas WordPress theme allowing authenticated attackers to delete arbitrary folders on the server. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-6989 Overview

CVE-2025-6989 is a path traversal vulnerability [CWE-22] in the Kallyas theme for WordPress. The flaw resides in the delete_font() function, which fails to properly validate file paths supplied by authenticated users. Attackers holding Contributor-level access or higher can abuse this function to delete arbitrary folders on the underlying server.

All versions of the Kallyas theme up to and including 4.21.0 are affected. Successful exploitation impacts site integrity and availability, potentially enabling site takeover when critical directories such as wp-content or configuration paths are removed.

Critical Impact

Authenticated contributors can delete arbitrary server folders, leading to site disruption and potential remote code execution by deleting wp-config.php directories to trigger reinstallation.

Affected Products

  • Kallyas Responsive Multipurpose WordPress Theme — versions up to and including 4.21.0
  • WordPress installations using the Kallyas theme with Contributor-level or higher user accounts
  • Multisite WordPress deployments running vulnerable Kallyas builds

Discovery Timeline

  • 2025-07-26 - CVE-2025-6989 published to the National Vulnerability Database (NVD)
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-6989

Vulnerability Analysis

The vulnerability stems from the delete_font() function within the Kallyas theme. The function accepts a user-controlled path parameter and passes it to a file system deletion routine without sanitization or path normalization. WordPress contributors, who normally lack file system privileges, can invoke this handler through an authenticated request.

The issue is classified as a Path Traversal weakness [CWE-22]. Because the function operates with the privileges of the PHP process running WordPress, the attacker can traverse outside the intended fonts directory using sequences such as ../ to reach arbitrary locations on disk.

The attack requires network access and low-privileged authentication, but no user interaction. Confidentiality is not directly affected, but integrity and availability impact are high because folder deletion can corrupt the site, remove plugins, or destroy uploaded data.

Root Cause

The root cause is insufficient validation of the file path argument supplied to the delete_font() function. The handler trusts client-supplied input and does not enforce that the resolved path remains within a designated fonts directory, nor does it apply an allowlist of deletable resources.

Attack Vector

An authenticated user with Contributor permissions sends a crafted request to the theme endpoint that invokes delete_font(). The payload contains a traversal sequence pointing to an arbitrary directory on the server. The server resolves the path and recursively deletes the target folder. Deleting directories such as the wp-config parent or active plugin folders can render the site inoperable or expose it to reinstallation-based takeover.

No verified public proof-of-concept code is available. See the Wordfence Vulnerability Report for additional technical context.

Detection Methods for CVE-2025-6989

Indicators of Compromise

  • Unexpected POST or AJAX requests from authenticated Contributor accounts to Kallyas theme endpoints that invoke font management actions.
  • Missing directories under wp-content/, wp-content/plugins/, or wp-content/uploads/ without corresponding administrative action.
  • Web server or PHP error logs reporting failed file includes after directory removal.
  • Request bodies containing ../ traversal sequences targeting font management parameters.

Detection Strategies

  • Inspect web server access logs for authenticated requests containing path traversal patterns directed at Kallyas theme PHP files.
  • Monitor file integrity for the wp-content tree and alert on unexpected directory deletions.
  • Audit recently created Contributor and Author accounts on sites running the Kallyas theme.

Monitoring Recommendations

  • Enable a Web Application Firewall (WAF) rule set that blocks ../ and encoded traversal sequences targeting WordPress theme endpoints.
  • Forward WordPress and PHP-FPM logs to a centralized data lake for query-based hunting on theme-related file operations.
  • Alert on filesystem unlink and rmdir syscalls invoked by the web server user outside scheduled maintenance windows.

How to Mitigate CVE-2025-6989

Immediate Actions Required

  • Update the Kallyas theme to a version released after 4.21.0 that addresses the delete_font() validation flaw.
  • Audit user roles and remove unnecessary Contributor-level or higher accounts from production WordPress sites.
  • Restore deleted directories from backup if signs of exploitation are present and rotate all WordPress credentials.

Patch Information

Refer to the vendor's product page at ThemeForest - Kallyas for the latest theme release. Review the Wordfence Vulnerability Report for patch tracking and rule coverage details.

Workarounds

  • Restrict access to WordPress theme administrative endpoints using server-level authentication or IP allowlisting until the patch is applied.
  • Apply WAF rules that block path traversal payloads in requests to the Kallyas theme directory.
  • Enforce least-privilege role assignments and disable user registration on sites that do not require it.
bash
# Example WAF rule snippet to block traversal sequences targeting Kallyas theme endpoints
SecRule REQUEST_URI "@contains /wp-content/themes/kallyas/" \
    "chain,phase:2,deny,status:403,id:1006989,msg:'CVE-2025-6989 Kallyas path traversal'"
    SecRule ARGS|REQUEST_BODY "@rx (\.\./|%2e%2e%2f)" "t:lowercase,t:urlDecodeUni"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.