CVE-2025-6990 is a critical remote code execution (RCE) vulnerability identified in the KALLYAS WordPress theme, versions up to and including 4.24.0. The root cause is an improper control of code generation (CWE-94) within the TH_PhpCode pagebuilder widget, which is designed to allow embedding PHP code snippets. The theme fails to restrict access to this widget for non-administrative users, specifically allowing users with Contributor-level privileges or higher to access and execute arbitrary PHP code on the server. This vulnerability is particularly dangerous because Contributor-level users are commonly allowed on many WordPress sites to create and edit content without full administrative rights, thus expanding the attack surface. Exploitation requires authentication but no further user interaction, and the attack vector is network-based (remote). The CVSS v3.1 score of 8.8 reflects the high impact on confidentiality, integrity, and availability, as arbitrary code execution can lead to full server compromise, data theft, defacement, or service disruption. No public exploits have been reported yet, but the vulnerability is publicly disclosed and assigned a CVE ID, indicating that threat actors may develop exploits soon. The lack of a patch link suggests that a fix may not yet be available, increasing the urgency for interim mitigations. The vulnerability affects all versions of the KALLYAS theme, which is widely used for creative eCommerce and multi-purpose WordPress sites, making it a significant risk for websites relying on this theme for their online presence.

For European organizations, this vulnerability poses a severe risk, especially for those operating eCommerce platforms or content-rich websites using the KALLYAS theme. Successful exploitation can lead to complete server takeover, enabling attackers to steal sensitive customer data, inject malicious content, disrupt services, or use the compromised server as a pivot point for further attacks within the network. The breach of confidentiality could result in GDPR violations, leading to substantial fines and reputational damage. Integrity and availability impacts could disrupt business operations, causing financial losses and loss of customer trust. Since many European businesses rely on WordPress for their web presence, and KALLYAS is a popular theme, the threat is widespread. The vulnerability's exploitation by authenticated users means insider threats or compromised contributor accounts could be leveraged, increasing the risk profile. The lack of known exploits currently provides a small window for proactive defense, but the high severity score indicates that rapid response is critical to prevent exploitation as soon as exploit code becomes available.

Immediate mitigation steps include restricting access to the TH_PhpCode widget to only trusted administrators by modifying user role permissions or disabling the widget entirely if possible. Organizations should audit user roles and remove Contributor or higher privileges from untrusted users. Monitoring WordPress logs for unusual activity related to the pagebuilder or PHP code execution attempts can help detect exploitation attempts early. Until an official patch is released, consider deploying Web Application Firewall (WAF) rules to block suspicious requests targeting the vulnerable widget or PHP code injection patterns. Regular backups of the website and server environment should be maintained to enable rapid recovery in case of compromise. Additionally, organizations should stay informed about updates from the theme vendor and apply patches immediately upon release. For high-risk environments, consider isolating WordPress instances or running them with minimal privileges to limit the impact of potential exploitation.