CVE-2025-6991 is a high-severity vulnerability affecting the KALLYAS WordPress theme, a popular multi-purpose eCommerce theme developed by hogash. The vulnerability is classified as CWE-98, which involves improper control of filenames used in include or require statements in PHP programs, commonly known as a Remote File Inclusion (RFI) or Local File Inclusion (LFI) vulnerability. Specifically, this flaw exists in the 'TH_LatestPosts4' widget of the KALLYAS theme in all versions up to and including 4.21.0. The vulnerability allows authenticated attackers with Contributor-level privileges or higher to exploit the theme's improper input validation and include arbitrary PHP files on the server. This can lead to arbitrary code execution, bypassing access controls, and unauthorized access to sensitive data. The attack vector requires network access but no user interaction beyond authentication, and the attacker must have at least Contributor-level access, which is a relatively low privilege level in WordPress. The CVSS 3.1 base score is 7.5, reflecting high severity due to the potential for full confidentiality, integrity, and availability compromise. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk because it can be leveraged to execute malicious PHP code if an attacker can upload or otherwise place PHP files on the server. This could lead to complete site takeover, data theft, or further pivoting into internal networks. The lack of an official patch at the time of publication increases the urgency for mitigation.

For European organizations using the KALLYAS WordPress theme, this vulnerability presents a critical risk to website integrity and data security. Exploitation could lead to unauthorized access to customer data, including personal and payment information, which would have severe implications under GDPR regulations. The ability to execute arbitrary PHP code could allow attackers to deface websites, inject malware, or establish persistent backdoors, damaging brand reputation and causing operational disruptions. E-commerce sites relying on this theme could face financial losses due to downtime or fraud. Additionally, compromised sites could be used as launchpads for attacks on internal networks or other connected systems. Given the Contributor-level access requirement, insider threats or compromised user accounts could facilitate exploitation. The vulnerability also raises compliance risks, as organizations must demonstrate adequate security controls to protect personal data. Overall, the impact on confidentiality, integrity, and availability is high, and the threat could affect a broad range of sectors including retail, services, and public institutions in Europe that utilize WordPress with this theme.

European organizations should immediately audit their WordPress installations to identify the use of the KALLYAS theme, particularly versions up to 4.21.0. Until an official patch is released, organizations should restrict Contributor-level access strictly to trusted users and review user roles to minimize privilege exposure. Implementing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious include or require requests targeting the vulnerable widget can provide temporary protection. Monitoring server logs for unusual file inclusion attempts or unexpected PHP file uploads is critical for early detection. Organizations should also enforce strict file upload controls, disallowing PHP file uploads unless absolutely necessary, and sanitize all user inputs rigorously. Regular backups and incident response plans should be updated to handle potential exploitation scenarios. Once a patch becomes available, prompt application is essential. Additionally, consider isolating WordPress environments and employing least privilege principles for all user accounts to reduce attack surface.