Skip to main content
CVE Vulnerability Database

CVE-2025-6991: Kallyas WordPress Theme RCE Vulnerability

CVE-2025-6991 is a local file inclusion flaw in the Kallyas WordPress theme that enables authenticated attackers to execute arbitrary PHP code. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2025-6991 Overview

CVE-2025-6991 is a Local File Inclusion (LFI) vulnerability in the Kallyas theme for WordPress. The flaw affects all versions up to and including 4.21.0 and resides in the TH_LatestPosts4 widget. Authenticated attackers with Contributor-level access or higher can include and execute arbitrary .php files on the server. Successful exploitation enables execution of any PHP code present in included files, bypass of access controls, exposure of sensitive data, and remote code execution when attackers can stage .php content on the host. The weakness is classified under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program).

Critical Impact

Contributor-level attackers can include arbitrary local PHP files through the TH_LatestPosts4 widget, leading to code execution and full site compromise.

Affected Products

  • Kallyas WordPress theme versions up to and including 4.21.0
  • Sites running the vulnerable TH_LatestPosts4 widget
  • WordPress installations where untrusted users hold Contributor or higher roles

Discovery Timeline

  • 2025-07-26 - CVE-2025-6991 published to NVD
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-6991

Vulnerability Analysis

The Kallyas theme exposes the TH_LatestPosts4 widget, which accepts a user-controlled value used in a PHP include or require statement without sufficient validation. An authenticated user with at least Contributor privileges can supply a path that resolves to an arbitrary .php file on the server. PHP then parses and executes the included file in the context of the web server process.

The attack vector is network-based and requires low privileges with no user interaction, though attack complexity is rated high. The impact spans confidentiality, integrity, and availability because successful inclusion executes attacker-influenced PHP code with the same permissions as the WordPress process. The Exploit Prediction Scoring System places this issue in the mid-range of observed exploitation likelihood, but the low privilege bar makes it relevant for any multi-author WordPress deployment.

Root Cause

The root cause is improper neutralization of input used as a filename in a dynamic PHP include statement inside the TH_LatestPosts4 widget. The widget trusts attacker-supplied widget configuration values and passes them directly to a file inclusion sink, matching the pattern described by CWE-98.

Attack Vector

An attacker authenticates to WordPress as a Contributor or higher role. The attacker then submits crafted widget configuration data referencing a local .php file path. When the widget renders, PHP includes and executes the targeted file. If the environment allows the attacker to drop a .php payload via uploads, log poisoning, or other primitives, this becomes a path to remote code execution. Otherwise, the attacker can still chain inclusion of existing PHP files to bypass access controls or extract sensitive data.

No verified proof-of-concept code is published in the referenced advisories. See the Wordfence Vulnerability ID Analysis for additional technical detail.

Detection Methods for CVE-2025-6991

Indicators of Compromise

  • Unexpected modifications to widget configuration records in the wp_options table referencing TH_LatestPosts4
  • Web access log entries from Contributor or Author accounts triggering widget save or render endpoints with suspicious path values
  • PHP error log entries showing include or require failures referencing paths outside the theme directory
  • New or modified .php files in upload directories such as wp-content/uploads/

Detection Strategies

  • Inspect WordPress audit logs for low-privilege accounts editing or previewing pages that embed the TH_LatestPosts4 widget
  • Monitor for outbound network connections initiated by the PHP-FPM or web server process immediately after widget rendering
  • Hash and baseline theme and plugin PHP files, then alert on out-of-band file creation or modification
  • Review newly created Contributor or Author accounts for anomalous registration patterns

Monitoring Recommendations

  • Forward WordPress, web server, and PHP logs to a centralized logging or SIEM platform for correlation
  • Alert on POST requests to wp-admin/admin-ajax.php or widget endpoints containing path traversal sequences such as ../
  • Track process execution lineage from web server processes to identify shell spawns following widget activity
  • Continuously enumerate installed themes and versions to confirm Kallyas remains at a patched build

How to Mitigate CVE-2025-6991

Immediate Actions Required

  • Update the Kallyas theme to a version released after 4.21.0 that addresses CVE-2025-6991
  • Audit and remove unused or dormant Contributor, Author, and Editor accounts
  • Review the WordPress installation for unauthorized PHP files in upload and theme directories
  • Rotate WordPress administrative credentials and API keys if compromise is suspected

Patch Information

Review the Wordfence Vulnerability ID Analysis and the ThemeForest Item Overview for the latest theme release notes. Apply the vendor update through the WordPress dashboard or by replacing the theme files manually after backing up the site.

Workarounds

  • Remove or disable the TH_LatestPosts4 widget from active pages until the theme is patched
  • Restrict Contributor and Author roles using a least-privilege policy or temporarily downgrade untrusted accounts
  • Deploy a web application firewall rule blocking widget parameters containing ../ or absolute filesystem paths
  • Set open_basedir in PHP to confine includes to the WordPress installation directory
bash
# Example php.ini hardening to limit file inclusion scope
open_basedir = "/var/www/html/:/tmp/"
disable_functions = "exec,passthru,shell_exec,system,proc_open,popen"
allow_url_include = Off
allow_url_fopen = Off

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.