CVE-2025-6989 is a path traversal vulnerability classified under CWE-22 found in the KALLYAS - Creative eCommerce Multi-Purpose WordPress theme developed by hogash. The vulnerability arises from insufficient validation of file paths in the delete_font() function, which is responsible for deleting font-related folders. This flaw allows authenticated users with Contributor-level permissions or higher to manipulate the file path parameter to traverse outside the intended directory scope and delete arbitrary folders on the server filesystem. Since WordPress Contributor roles are commonly assigned to users who can upload and manage content but not administer the site, this expands the attack surface beyond administrators. The vulnerability affects all versions up to and including 4.21.0 of the theme. The CVSS v3.1 base score is 8.1, reflecting network exploitability (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), but high integrity (I:H) and availability (A:H) impacts. Exploiting this vulnerability can result in deletion of critical files or directories, potentially causing site outages or data loss. No patches or public exploits are currently available, but the vulnerability has been publicly disclosed and assigned a CVE identifier. Given the popularity of WordPress and the KALLYAS theme in eCommerce and creative websites, this vulnerability poses a significant risk to affected installations worldwide.

The primary impact of CVE-2025-6989 is on the integrity and availability of affected WordPress sites using the KALLYAS theme. Attackers with Contributor-level access can delete arbitrary folders, potentially removing essential theme files, uploaded content, or other critical data. This can lead to site malfunction, defacement, or complete denial of service. Since the vulnerability does not affect confidentiality directly, sensitive data exposure is unlikely, but the loss of data or service disruption can severely affect business operations, especially for eCommerce sites relying on the theme. The ease of exploitation over the network and the relatively low privilege requirement increase the risk of exploitation. Organizations may face reputational damage, financial loss, and operational downtime if exploited. Recovery may require restoring from backups and thorough security audits to prevent further compromise.

To mitigate CVE-2025-6989, organizations should immediately upgrade the KALLYAS theme to a patched version once available from the vendor. In the absence of an official patch, administrators should restrict Contributor-level permissions to trusted users only and audit existing user roles to minimize risk. Implementing web application firewalls (WAFs) with rules to detect and block path traversal attempts targeting the delete_font() function can provide temporary protection. Regular backups of website files and databases are critical to enable recovery from potential destructive attacks. Additionally, monitoring file system changes and access logs for suspicious deletion activity can help detect exploitation attempts early. Developers and site administrators should review custom code and plugins for similar path traversal vulnerabilities and apply strict input validation and sanitization on all file path parameters. Employing the principle of least privilege for all user roles and isolating critical directories with appropriate file system permissions will further reduce impact.