CVE-2025-12895 is a vulnerability classified under CWE-862 (Missing Authorization) found in the Kalium 3 | Creative WordPress & WooCommerce Theme, affecting all versions up to 3.29. The vulnerability arises from the absence of a capability check in the kalium_vc_contact_form_request() function, which handles contact form submissions. This missing authorization allows unauthenticated attackers to invoke this function and send emails from the server without restriction, effectively turning the site into an open mail relay. The vulnerability is remotely exploitable over the network without any authentication or user interaction, making it relatively easy to abuse. The CVSS v3.1 base score is 5.3 (medium severity), reflecting the lack of confidentiality or availability impact but acknowledging the integrity impact due to unauthorized email sending. Exploitation could facilitate spam campaigns, phishing attacks, or reputation damage to the affected domains, potentially leading to blacklisting of the server's IP address. No patches or known exploits are currently reported, but the vulnerability's presence in a popular WordPress theme used for creative and e-commerce sites increases the risk profile. The vulnerability's exploitation scope is limited to sites running the vulnerable theme versions, but given WordPress's widespread use, the affected population is significant.

For European organizations, this vulnerability poses a risk primarily to the integrity of their email systems and their reputations. Exploitation could lead to unauthorized mass email sending, which may result in the organization's mail servers being blacklisted by spam filters, disrupting legitimate email communications. This can affect customer trust, especially for e-commerce sites relying on WooCommerce, and may cause indirect financial losses due to reputational damage and potential downtime in email services. Additionally, attackers could use the open relay to distribute phishing emails, increasing the risk of successful social engineering attacks against employees or customers. The vulnerability does not directly compromise sensitive data or system availability but can be a stepping stone for further attacks or abuse. European organizations with strict data protection regulations (e.g., GDPR) might face compliance scrutiny if the vulnerability leads to data misuse or harms customers.

1. Immediately update the Kalium theme to a patched version once available from the vendor to ensure the missing authorization check is implemented. 2. Until a patch is released, disable or restrict access to the vulnerable kalium_vc_contact_form_request() function, for example by applying web application firewall (WAF) rules to block unauthorized POST requests targeting this endpoint. 3. Configure outgoing mail servers to require authentication and restrict relay permissions to trusted applications only, preventing unauthorized email sending even if the vulnerability is exploited. 4. Monitor email logs for unusual spikes in outbound email volume or patterns indicative of spam or phishing campaigns. 5. Employ rate limiting on contact form submissions to reduce abuse potential. 6. Educate IT and security teams about this vulnerability to ensure rapid detection and response. 7. Consider isolating WordPress instances or using containerization to limit the blast radius of potential exploitation. 8. Regularly audit installed themes and plugins for vulnerabilities and maintain an up-to-date inventory to prioritize patching.