CVE-2025-6989 is a high-severity vulnerability affecting the KALLYAS WordPress theme, a popular creative eCommerce multi-purpose theme developed by hogash. The vulnerability is classified as CWE-22, which corresponds to improper limitation of a pathname to a restricted directory, commonly known as a path traversal flaw. Specifically, the issue exists in the delete_font() function present in all versions up to and including 4.21.0 of the theme. Due to insufficient validation of file paths, authenticated users with Contributor-level access or higher can exploit this flaw to delete arbitrary folders on the server hosting the WordPress site. This deletion capability can severely impact the integrity and availability of the affected system by removing critical files or directories beyond the intended scope of the function. The vulnerability does not require user interaction beyond authentication, and the attack vector is network-based, allowing remote exploitation. The CVSS v3.1 base score is 8.1, reflecting a high severity due to the ease of exploitation (low attack complexity), the requirement of only low privileges (Contributor-level), and the significant impact on integrity and availability. No known exploits are currently reported in the wild, but the vulnerability's nature and the widespread use of the KALLYAS theme make it a critical concern for WordPress site administrators. The lack of available patches at the time of disclosure further increases the urgency for mitigation.

For European organizations, this vulnerability poses a significant risk, especially for those relying on WordPress sites using the KALLYAS theme for eCommerce or other business-critical functions. Successful exploitation could lead to the deletion of essential directories, resulting in website downtime, loss of data, and disruption of online services. This can damage business reputation, lead to financial losses, and potentially violate data protection regulations such as GDPR if customer data or operational continuity is affected. The requirement of Contributor-level access means that attackers could leverage compromised or malicious user accounts with limited privileges to escalate damage without needing administrator credentials. Given the popularity of WordPress and the KALLYAS theme in Europe, especially among small and medium enterprises (SMEs) and creative agencies, the threat could affect a broad range of sectors including retail, digital marketing, and online services. Additionally, the disruption of eCommerce platforms could have cascading effects on supply chains and customer trust.

Immediate mitigation steps include restricting Contributor-level user permissions and auditing existing user accounts to remove or limit unnecessary privileges. Site administrators should monitor file system integrity and implement file access monitoring to detect suspicious deletion activities. Employing Web Application Firewalls (WAFs) with custom rules to detect and block path traversal attempts targeting the delete_font() function can provide temporary protection. Since no official patch is available at disclosure, organizations should consider disabling or restricting access to the vulnerable functionality if feasible, or temporarily switching to alternative themes until a secure update is released. Regular backups of website files and databases are critical to enable recovery in case of successful exploitation. Additionally, organizations should enforce strong authentication mechanisms and monitor logs for unusual Contributor-level activity. Once a patch is released, prompt application is essential. Engaging with the theme vendor for updates and subscribing to vulnerability advisories will help maintain security posture.