CVE-2025-6991 is a Local File Inclusion vulnerability affecting all versions of the KALLYAS WordPress theme up to 4.21.0. The vulnerability exists in the 'TH_LatestPosts4' widget, which improperly controls the filename parameter used in PHP include or require statements. This improper control (classified under CWE-98) allows authenticated users with Contributor-level privileges or higher to manipulate the filename input to include arbitrary PHP files from the server. Since WordPress Contributor roles can upload files (though typically not PHP), if an attacker can upload PHP files via other means or leverage existing files, they can execute arbitrary PHP code on the server. This leads to potential full compromise of the web server, including bypassing access controls, data exfiltration, and remote code execution. The vulnerability requires authentication but no further user interaction, and the attack vector is network-based. The CVSS v3.1 score is 7.5 (High), reflecting the significant confidentiality, integrity, and availability impacts combined with the requirement for low privileges and no user interaction. No patches or official fixes are currently linked, and no known exploits are reported in the wild, but the risk remains high due to the theme's widespread use in WordPress eCommerce and multipurpose sites.

The impact of CVE-2025-6991 is substantial for organizations using the KALLYAS WordPress theme. Successful exploitation allows attackers with minimal privileges (Contributor role) to execute arbitrary PHP code on the web server, potentially leading to full server compromise. This can result in unauthorized access to sensitive customer and business data, defacement of websites, installation of backdoors or malware, and disruption of services. For eCommerce sites, this could mean theft of payment information, customer data breaches, and loss of business reputation. The ability to bypass access controls also increases the risk of privilege escalation and lateral movement within the hosting environment. Given WordPress's popularity and the theme's multipurpose use, a large number of websites globally could be at risk, especially those that do not restrict Contributor-level access tightly or lack additional security controls.

To mitigate CVE-2025-6991, organizations should immediately restrict Contributor-level access to trusted users only, minimizing the risk of exploitation. Disable or remove the vulnerable 'TH_LatestPosts4' widget if it is not essential. Monitor file upload directories and remove any unauthorized PHP files to prevent attackers from including malicious code. Implement Web Application Firewall (WAF) rules to detect and block attempts to exploit file inclusion vulnerabilities, particularly targeting the affected widget. Regularly audit user roles and permissions to ensure least privilege principles are enforced. Since no official patch is currently linked, organizations should monitor vendor advisories for updates and apply patches promptly once available. Additionally, consider deploying runtime application self-protection (RASP) or PHP hardening techniques to restrict include paths and execution of unauthorized files. Backup website data regularly and have an incident response plan ready in case of compromise.