CVE-2025-6990 is a remote code execution (RCE) vulnerability identified in the KALLYAS - Creative eCommerce Multi-Purpose WordPress theme, affecting all versions up to and including 4.24.0. The root cause is an improper access control flaw in the TH_PhpCode pagebuilder widget, which does not restrict access to the embedded PHP code editor to administrators only. As a result, authenticated users with Contributor-level permissions or higher can inject and execute arbitrary PHP code on the hosting server. This vulnerability is classified under CWE-94 (Improper Control of Generation of Code), indicating that the theme allows unsafe code generation and execution. The CVSS v3.1 base score is 8.8, reflecting a high-severity issue with network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L) but no user interaction (UI:N), and impacting confidentiality, integrity, and availability (C:H/I:H/A:H). Exploitation can lead to full server compromise, data theft, defacement, or further lateral movement within the hosting environment. No official patches or updates are currently linked, and no exploits have been reported in the wild yet. However, the vulnerability's nature and ease of exploitation make it a critical concern for WordPress sites using this theme, especially those with multiple contributors or editors. The vulnerability was reserved in July 2025 and published in November 2025 by Wordfence, a reputable security vendor.

The impact of CVE-2025-6990 is severe for organizations running WordPress sites with the vulnerable KALLYAS theme. Successful exploitation allows attackers with minimal privileges (Contributor or higher) to execute arbitrary PHP code remotely, potentially leading to full server compromise. This can result in unauthorized data access or exfiltration, defacement of websites, deployment of malware or ransomware, and disruption of services. The vulnerability threatens confidentiality, integrity, and availability of the affected systems. Organizations relying on this theme for eCommerce or business-critical websites face risks of financial loss, reputational damage, and regulatory non-compliance. Since the attack requires authentication but no user interaction, insider threats or compromised contributor accounts can be leveraged easily. The widespread use of WordPress globally, combined with the popularity of multipurpose themes like KALLYAS, increases the scope of affected systems. Without timely mitigation, attackers could use this vulnerability as a foothold for broader network intrusions.

To mitigate CVE-2025-6990, organizations should immediately restrict access to the TH_PhpCode widget to administrators only, either by disabling the widget for lower-privilege roles or applying custom access control filters in WordPress. Until an official patch is released, consider removing or disabling the vulnerable pagebuilder widget entirely. Review and audit user roles and permissions to ensure that only trusted users have Contributor-level or higher access. Implement multi-factor authentication (MFA) for all authenticated users to reduce the risk of compromised accounts. Monitor server logs and WordPress activity for suspicious PHP code execution or unauthorized access attempts. Employ web application firewalls (WAFs) with rules targeting PHP code injection patterns. Regularly back up website data and test restoration procedures to minimize damage from potential exploitation. Stay updated with vendor advisories and apply official patches promptly once available. Additionally, consider isolating WordPress hosting environments to limit lateral movement in case of compromise.