CVE-2025-6991 is a high-severity vulnerability affecting the KALLYAS WordPress theme, a popular multi-purpose eCommerce theme developed by hogash. The vulnerability is classified as CWE-98, which involves improper control of filenames used in include or require statements in PHP programs, commonly known as a Remote File Inclusion (RFI) or Local File Inclusion (LFI) vulnerability. Specifically, this flaw exists in the 'TH_LatestPosts4' widget of all versions up to and including 4.21.0 of the KALLYAS theme. An authenticated attacker with Contributor-level access or higher can exploit this vulnerability to include and execute arbitrary PHP files on the server. This is possible because the theme does not properly validate or sanitize the filename parameter used in the include/require statement, allowing an attacker to specify a malicious PHP file. If the attacker can upload PHP files (for example, via other vulnerabilities or misconfigurations), they can execute arbitrary code on the server, bypass access controls, and potentially gain full control over the affected WordPress installation. The CVSS 3.1 base score is 7.5, reflecting a high severity due to the network attack vector, low privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk given the widespread use of WordPress and the popularity of the KALLYAS theme in eCommerce and multi-purpose websites. The lack of an official patch at the time of reporting increases the urgency for mitigation.

For European organizations, this vulnerability can have serious consequences, especially for businesses relying on WordPress sites using the KALLYAS theme for eCommerce or other critical functions. Successful exploitation can lead to unauthorized code execution, allowing attackers to steal sensitive customer data, including payment information, intellectual property, or internal business data. It can also enable attackers to deface websites, disrupt services, or use compromised servers as a foothold for further attacks within the organization's network. Given the Contributor-level access requirement, insider threats or compromised user accounts could be leveraged to exploit this vulnerability. The impact extends to reputational damage, regulatory non-compliance (e.g., GDPR violations due to data breaches), and financial losses from downtime or fraud. The vulnerability's ability to bypass access controls and execute arbitrary PHP code makes it a critical risk for maintaining the confidentiality, integrity, and availability of affected systems.

1. Immediate mitigation should include restricting Contributor-level user permissions and auditing existing user accounts to ensure no unauthorized users have elevated access. 2. Disable or remove the 'TH_LatestPosts4' widget if it is not essential to the website's functionality. 3. Implement strict input validation and sanitization on all user-controllable parameters, especially those that influence file inclusion paths. 4. Monitor file upload mechanisms to prevent uploading of executable PHP files or restrict uploads to safe file types only. 5. Employ Web Application Firewalls (WAFs) with rules designed to detect and block attempts to exploit file inclusion vulnerabilities. 6. Regularly update WordPress core, themes, and plugins; monitor vendor announcements for patches or updates addressing this vulnerability. 7. Conduct security audits and penetration testing focused on file inclusion and privilege escalation vectors. 8. As no official patch is available yet, consider applying temporary code-level mitigations such as hardcoding allowed file paths or disabling dynamic includes in the affected widget's code if feasible.