A high-severity vulnerability has been identified in the Kallyas theme for WordPress, designated CVE-2025-6989. This flaw allows a remote attacker to delete arbitrary folders on the web server, which could lead to a complete website outage, data loss, and denial of service. Organizations using the affected theme are at significant risk of operational disruption and should take immediate action to mitigate this threat.

The vulnerability exists within the delete_font() function of the Kallyas theme. This function fails to properly sanitize or validate user-supplied input for file paths. An attacker can exploit this by crafting a malicious request containing path traversal sequences (e.g., ../). This allows the attacker to navigate outside the intended font directory and target any other folder on the server that the web server process has write/delete permissions for, leading to arbitrary folder deletion. Exploitation likely requires an authenticated user role with access to the theme's font management features, but could result in the deletion of critical WordPress core files, plugin directories, or user-uploaded content.

This vulnerability is rated as High severity with a CVSS score of 8.1, primarily impacting system integrity and availability. Successful exploitation can lead to a complete denial of service by deleting core application directories, rendering the website inoperable. The deletion of content folders (e.g., wp-content/uploads) would result in irreversible data loss if backups are not available. The business consequences include significant website downtime, loss of customer trust, reputational damage, and financial costs associated with incident response, data recovery, and site restoration.

Immediate Action: Immediately update the Kallyas theme to the latest patched version (greater than version 4) as recommended by the vendor. If the theme is not actively used or is no longer required for business operations, it should be deactivated and completely removed from the WordPress installation to eliminate the vulnerable code.

Proactive Monitoring: Monitor web server access logs and Web Application Firewall (WAF) logs for requests targeting the theme's delete_font() function or any requests containing path traversal payloads (../). Implement File Integrity Monitoring (FIM) to generate alerts for any unauthorized or unexpected file and folder deletions within the web root, particularly in the wp-includes, wp-admin, and wp-content directories.

Compensating Controls: If immediate patching is not feasible, implement the following controls:

• Deploy a Web Application Firewall (WAF) with strict rules to block path traversal attack patterns.
• Harden file system permissions to ensure the web server user account has read-only access to all non-essential directories and cannot delete critical application files.
• Temporarily disable the affected theme and activate a default WordPress theme until a patch can be safely applied.
• Ensure regular, automated, and verified backups of the entire WordPress site (files and database) are being performed and stored off-site.

Public Exploit Available: false

Given the high severity (CVSS 8.1) and the potential for catastrophic impact on website availability and data integrity, we strongly recommend that organizations using the Kallyas theme for WordPress apply the security update immediately. This vulnerability presents a significant and direct risk to business operations. Although it is not currently listed in the CISA KEV catalog, its potential for widespread disruption warrants treating this as a critical priority for remediation.