CVE-2025-6990 is a remote code execution (RCE) vulnerability found in the KALLYAS WordPress theme, versions up to and including 4.24.0. The root cause is an improper control of code generation (CWE-94) within the TH_PhpCode pagebuilder widget, which fails to restrict access to the code editor functionality for non-administrative users. Specifically, authenticated users with Contributor-level privileges or higher can access this widget and inject arbitrary PHP code, which the server executes. This vulnerability allows attackers to execute malicious code remotely without requiring additional user interaction, potentially leading to full system compromise. The CVSS v3.1 base score is 8.8, indicating a high severity due to network attack vector, low attack complexity, and the requirement of low privileges but no user interaction. The impact spans confidentiality, integrity, and availability, as attackers can read sensitive data, modify or delete content, and disrupt service. Although no public exploits are reported yet, the vulnerability is critical due to the widespread use of WordPress and the popularity of the KALLYAS theme in e-commerce and multipurpose websites. The lack of a patch at the time of publication necessitates immediate mitigation steps to reduce risk.

For European organizations, especially those operating e-commerce or content-heavy WordPress sites using the KALLYAS theme, this vulnerability poses a significant risk. Exploitation could lead to unauthorized access to sensitive customer data, defacement or deletion of website content, and potential use of compromised servers as pivot points for further attacks within corporate networks. The breach of confidentiality could result in GDPR violations, leading to regulatory fines and reputational damage. The integrity and availability impacts could disrupt business operations, causing financial losses and customer trust erosion. Given the ease of exploitation by users with Contributor-level access, insider threats or compromised accounts amplify the risk. Organizations relying on third-party developers or contributors should be particularly cautious, as these roles could be leveraged to exploit the vulnerability.

Immediate mitigation should focus on restricting access to the TH_PhpCode widget to only trusted administrators. This can be achieved by modifying user role permissions within WordPress to prevent Contributors and other lower-privileged roles from accessing the code editor widget. Organizations should audit all user roles and remove unnecessary Contributor or higher privileges where possible. Until an official patch is released, consider disabling or removing the TH_PhpCode widget entirely if feasible. Monitoring web server logs for unusual PHP execution or unauthorized access attempts can help detect exploitation attempts early. Employing Web Application Firewalls (WAFs) with custom rules to block suspicious requests targeting the widget may provide temporary protection. Finally, once a patch becomes available from the vendor, apply it promptly and verify the update's effectiveness through testing.