A critical Remote Code Execution (RCE) vulnerability, identified as CVE-2025-6990, has been discovered in the Kallyas theme for WordPress. This flaw allows an unauthenticated attacker to execute arbitrary code on the server, potentially leading to a complete compromise of the affected website, data theft, and further network intrusion.

The Kallyas theme contains a flaw that fails to properly sanitize user-supplied input. An unauthenticated remote attacker can exploit this by sending a specially crafted request to a vulnerable component within the theme. Successful exploitation allows the attacker to execute arbitrary commands on the underlying server with the privileges of the web server process, leading to a full system compromise.

This vulnerability is rated as High severity with a CVSS score of 8.8. A successful exploit would grant an attacker complete control over the affected website and potentially the underlying server. The consequences include, but are not limited to, theft of sensitive data (customer information, payment details, intellectual property), website defacement, service disruption, and the use of the compromised server to launch further attacks or host malicious content. Such an incident could result in significant financial loss, reputational damage, and regulatory penalties.

Immediate Action:

• Immediately update the Kallyas theme to the latest patched version (greater than 4.0) as recommended by the vendor.
• If the theme is not essential or no longer in use, it should be completely uninstalled and removed from the WordPress installation to eliminate the attack surface.
• Review WordPress user accounts and file permissions for any unauthorized changes.

Proactive Monitoring:

• Monitor web server access logs for unusual or malformed POST requests targeting theme-specific files or AJAX actions.
• Implement File Integrity Monitoring (FIM) to detect unauthorized changes to core WordPress, theme, and plugin files.
• Watch for unexpected outbound network connections or processes being spawned by the web server user (e.g., www-data, apache).

Compensating Controls:

• Deploy a Web Application Firewall (WAF) with rules designed to block common RCE attack patterns and payloads.
• Harden the server environment by disabling potentially dangerous PHP functions (e.g., exec, shell_exec, passthru, system) in the php.ini configuration file if they are not required for legitimate application functionality.
• Enforce strict file permissions to prevent the web server process from writing to non-essential directories.

Public Exploit Available: False

Given the high severity of this vulnerability, immediate patching is strongly recommended for all organizations using the affected Kallyas theme. While this vulnerability is not currently on CISA's Known Exploited Vulnerabilities (KEV) catalog, its critical nature makes it a prime candidate for future inclusion. Organizations must prioritize applying the vendor-supplied update to prevent a full system compromise. If patching is not immediately feasible, apply the recommended compensating controls and actively monitor for signs of exploitation.