A high-severity vulnerability has been identified in the kallyas theme for WordPress. This flaw, a Local File Inclusion (LFI), allows an unauthenticated attacker to access and read sensitive files on the web server. Successful exploitation could lead to the exposure of confidential data, such as database credentials and system configuration files, potentially enabling a complete compromise of the affected website.

The kallyas theme for WordPress is vulnerable to Local File Inclusion (LFI). This type of vulnerability occurs when the application uses user-supplied input to construct a path to a file that is then included or executed. An attacker can exploit this by manipulating the input to include path traversal characters (e.g., ../) to navigate the server's file system and access files outside of the intended directory, such as wp-config.php or /etc/passwd.

This vulnerability presents a High severity risk with a CVSS score of 7.5. Exploitation can directly lead to a data breach by exposing sensitive information stored on the server, including database credentials, application source code, and system user data. This could result in a complete website takeover, defacement, customer data theft, reputational damage, and potential regulatory fines. The ease of exploitation for LFI vulnerabilities means that any publicly accessible site using the vulnerable theme is at significant risk.

Immediate Action: Immediately update the kallyas theme to the latest patched version (greater than version 4). If the theme is installed but not active or no longer needed, it should be completely uninstalled and removed from the WordPress installation to eliminate the attack surface.

Proactive Monitoring: Monitor web server access logs for suspicious GET requests containing path traversal sequences (e.g., ../, ..%2f) targeting theme files. Implement a Web Application Firewall (WAF) to detect and block LFI attempts. Monitor for unusual file access patterns on the server, especially from the web server's user account.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with strict rules to block path traversal and LFI attack patterns. Additionally, harden server file permissions to restrict the web server process from reading files outside of the web root directory, limiting the impact of a potential LFI exploit.

Public Exploit Available: true

Given the high severity (CVSS 7.5) and the simplicity of exploitation, we strongly recommend that organizations immediately apply the vendor-supplied patch. All internet-facing websites using the kallyas WordPress theme should be considered at high risk. A full inventory should be conducted to identify all instances of the vulnerable theme, and the update should be prioritized. Do not wait for this CVE to appear on the CISA KEV list to take action.