Introduction
A single Contributor-level account on a WordPress site running Kallyas up to 4.24.0 can lead to full server compromise. This vulnerability allows authenticated users to execute arbitrary PHP code via the TH_PhpCode widget, exposing sensitive data and enabling persistent access.
About Kallyas and Hogash Studio: Kallyas is a premium multi-purpose WordPress theme developed by Hogash Studio and sold on ThemeForest. It is widely used for eCommerce and business sites, with thousands of active installations. The theme's popularity and broad deployment make vulnerabilities in its codebase especially impactful across the WordPress ecosystem.
Technical Information
CVE-2025-6990 is a code injection vulnerability (CWE-94) in the Kallyas WordPress theme's TH_PhpCode pagebuilder widget. The widget is designed to let administrators add custom PHP code blocks to pages. However, due to missing capability checks, any authenticated user with Contributor access or higher can add this widget to a page and supply arbitrary PHP code.
When the page is saved or previewed, the PHP code is executed server-side with the privileges of the web server process. This enables attackers to:
- Create new administrator accounts
- Install backdoors or malicious plugins
- Read sensitive files such as wp-config.php
- Exfiltrate database credentials or user data
- Modify or deface site content
The root cause is the absence of proper authorization logic restricting the TH_PhpCode widget to administrators. The widget's documentation acknowledges its power, but the implementation failed to enforce role-based access control, allowing Contributors and above to leverage this functionality.
No public code snippets are available, but exploitation is straightforward: an attacker with Contributor credentials logs in, creates or edits a page, adds the TH_PhpCode widget, and injects malicious PHP code. The code executes when the page is rendered.
Affected Systems and Versions
- Product: Kallyas WordPress Theme by Hogash Studio
- Affected versions: All versions up to and including 4.24.0
- Vulnerable configuration: Any WordPress site with the Kallyas theme <= 4.24.0 installed and at least one user with Contributor or higher access
Vendor Security History
- CVE-2025-6991: Local File Inclusion in TH_LatestPosts4 widget (Contributor+)
- CVE-2025-6989: Arbitrary Folder Deletion
- Broken access control in Kallyas <= 4.22.0
- Vendor released version 4.23.0 to restrict TH_PhpCode to administrators and address related issues
- Patch response time has been prompt, but repeated access control flaws highlight ongoing security challenges
