Skip to main content
CVE Vulnerability Database

CVE-2025-6990: Kallyas WordPress Theme RCE Vulnerability

CVE-2025-6990 is a remote code execution vulnerability in the Kallyas WordPress theme affecting versions up to 4.24.0. Authenticated contributors can execute arbitrary code via the TH_PhpCode widget. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2025-6990 Overview

CVE-2025-6990 is a Remote Code Execution (RCE) vulnerability affecting the Kallyas WordPress theme in all versions up to and including 4.24.0. The flaw resides in the TH_PhpCode pagebuilder widget, which the theme fails to restrict to administrator-level users. Authenticated attackers with Contributor-level access or higher can abuse the code editor widget to execute arbitrary PHP code on the underlying web server. The weakness is classified under CWE-94: Improper Control of Generation of Code.

Critical Impact

Contributor-level WordPress users can execute arbitrary PHP code on the server, leading to full site compromise, data theft, and lateral movement into the hosting environment.

Affected Products

  • Kallyas WordPress theme versions up to and including 4.24.0
  • WordPress sites using the TH_PhpCode pagebuilder widget
  • Hogash-developed themes integrating the same Themes Builder component

Discovery Timeline

  • 2025-11-01 - CVE-2025-6990 published to the National Vulnerability Database (NVD)
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-6990

Vulnerability Analysis

The Kallyas theme ships with a pagebuilder component that exposes a TH_PhpCode widget. This widget is designed as an administrative tool that allows site builders to embed PHP snippets directly into a page layout. By design, only administrators should be able to access or render the widget output.

The theme does not enforce a capability check restricting the widget to administrators. WordPress users with the Contributor role, which exists primarily to allow draft submission, can supply PHP code through the widget interface. The supplied code is then evaluated by the PHP interpreter when the page is rendered, granting the attacker code execution in the context of the web server process.

Because exploitation requires only a low-privilege authenticated account, any site that permits user registration or hosts multiple contributors is directly exposed. Successful exploitation compromises confidentiality, integrity, and availability of the WordPress installation.

Root Cause

The root cause is missing authorization on a code-execution feature. The theme treats the TH_PhpCode widget as a builder utility but omits an current_user_can('manage_options') style capability check before accepting or evaluating widget input. This collapses the boundary between content editors and site administrators.

Attack Vector

An attacker authenticates to the target WordPress site with at least Contributor privileges. The attacker creates or edits a post or page that invokes the Kallyas pagebuilder and inserts arbitrary PHP into the TH_PhpCode widget. When the post is previewed or rendered, the theme evaluates the supplied PHP, returning the attacker's command output and granting persistent access through webshell deployment.

The vulnerability is exploitable over the network through standard HTTP(S) requests to the WordPress administration interface. No user interaction beyond the attacker's own authenticated session is required.

Detection Methods for CVE-2025-6990

Indicators of Compromise

  • Unexpected PHP files written to wp-content/uploads/ or theme directories shortly after Contributor-level logins
  • Posts or drafts created by low-privilege accounts that reference the TH_PhpCode widget in post meta or _kallyas_options
  • Outbound network connections from the web server to unfamiliar hosts following content editor activity
  • New administrator accounts or modifications to wp_users and wp_usermeta tables without an audit trail

Detection Strategies

  • Audit the WordPress database for post content containing the TH_PhpCode shortcode or serialized widget data referencing PHP execution
  • Monitor web server logs for POST requests to admin-ajax.php or post.php originating from Contributor or Author accounts that include pagebuilder save actions
  • Inspect filesystem changes under the active theme and uploads directory using file integrity monitoring
  • Review PHP error logs for eval() related warnings or fatal errors tied to theme widget rendering

Monitoring Recommendations

  • Alert on creation or modification of .php files in any WordPress writable directory
  • Track role assignments and flag any Contributor account that gains access to pagebuilder functionality
  • Forward WordPress audit logs into a centralized SIEM for correlation with web server telemetry
  • Baseline expected pagebuilder usage and flag deviations from administrator-only activity

How to Mitigate CVE-2025-6990

Immediate Actions Required

  • Update the Kallyas theme to a version released after 4.24.0 that restricts the TH_PhpCode widget to administrators
  • Audit existing Contributor, Author, and Editor accounts and remove any that are unused or unrecognized
  • Disable open user registration on the WordPress site until patching is complete
  • Scan the site for webshells and unauthorized PHP files placed via the widget

Patch Information

Review the Hogash Theme Changelog for the patched release that adds capability checks to the TH_PhpCode widget. Additional technical context is available in the Wordfence Vulnerability Report. Apply the vendor patch through the WordPress dashboard or by replacing the theme files manually.

Workarounds

  • Temporarily restrict the Kallyas pagebuilder to administrators by deploying a custom plugin that wraps widget registration in a capability check
  • Block access to pagebuilder AJAX endpoints at the web application firewall for non-administrator sessions
  • Remove the TH_PhpCode widget file from the theme until the official patch is applied
  • Demote or remove Contributor accounts that do not require post submission capability
bash
# Configuration example: restrict pagebuilder AJAX to administrators via mu-plugin
# Place in wp-content/mu-plugins/restrict-kallyas-phpcode.php
<?php
add_action('init', function () {
    if (!is_user_logged_in()) {
        return;
    }
    if (!current_user_can('manage_options')) {
        remove_action('wp_ajax_th_save_page', 'th_save_page');
        remove_action('wp_ajax_th_render_widget', 'th_render_widget');
    }
});

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.