CVE-2025-6989 is a high-severity vulnerability classified under CWE-22, which pertains to improper limitation of a pathname to a restricted directory, commonly known as a path traversal flaw. This vulnerability affects the KALLYAS WordPress theme, a creative eCommerce multi-purpose theme developed by hogash. The flaw exists in the delete_font() function present in all versions up to and including 4.21.0. The core issue is insufficient validation of file paths when deleting font resources, which allows an authenticated attacker with Contributor-level privileges or higher to craft malicious requests that traverse directories arbitrarily. This enables the deletion of arbitrary folders on the server hosting the WordPress installation. The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network. The CVSS v3.1 base score is 8.1, indicating a high severity level, with an attack vector of network (AV:N), low attack complexity (AC:L), privileges required (PR:L), no user interaction (UI:N), unchanged scope (S:U), no impact on confidentiality (C:N), but high impact on integrity (I:H) and availability (A:H). Although no known exploits are currently reported in the wild, the vulnerability's nature and ease of exploitation make it a significant risk. The ability to delete arbitrary folders can lead to severe consequences such as loss of critical website files, disruption of services, and potential escalation to further compromise if system files or backups are targeted. Given that WordPress themes are widely used and often run on shared hosting environments, the impact can be broad if exploited.

For European organizations, this vulnerability poses a substantial risk, especially for businesses relying on WordPress with the KALLYAS theme for their online presence and eCommerce operations. The ability for an attacker with relatively low privileges (Contributor-level) to delete arbitrary folders threatens website availability and integrity, potentially causing downtime, loss of customer trust, and financial damage. This is particularly critical for sectors such as retail, hospitality, and digital services where eCommerce functionality is essential. Additionally, deletion of folders could include removal of backups or configuration files, complicating recovery efforts and increasing incident response costs. The disruption could also affect compliance with European data protection regulations like GDPR if personal data availability or integrity is compromised. Organizations with limited IT security resources or those that do not regularly update themes and plugins are at heightened risk. Furthermore, the lack of known exploits in the wild currently does not diminish the urgency of patching, as public disclosure may lead to rapid development of exploit code.

European organizations should take immediate and specific actions to mitigate this vulnerability. First, update the KALLYAS theme to a version beyond 4.21.0 as soon as a patched release is available from the vendor. If a patch is not yet released, temporarily restrict Contributor-level user permissions to prevent exploitation, or disable the delete_font() functionality if feasible. Implement strict file system permissions on the web server to limit the ability of the web application to delete or modify critical directories outside intended paths. Employ web application firewalls (WAFs) with custom rules to detect and block path traversal patterns in requests targeting the theme's font deletion endpoints. Conduct thorough audits of user roles and remove unnecessary Contributor or higher privileges from users who do not require them. Regularly back up website data and verify backup integrity to ensure rapid recovery in case of folder deletion. Monitor web server and application logs for suspicious activity related to file deletion requests. Finally, educate site administrators about the risks of installing outdated themes and the importance of timely updates.