CVE-2025-12895

The Kalium 3 | Creative WordPress & WooCommerce Theme for WordPress contains a missing capability check in the kalium_vc_contact_form_request() function,request()` function, present in all versions up to and including 3.29. This function is intended to handle contact form submissions but lacks proper authorization, allowing any unauthenticated user to trigger email sending without verifying the request's legitimacy [1].

An attacker can exploit this vulnerability by sending crafted HTTP requests to the vulnerable endpoint, effectively using the WordPress installation as an open mail relay. No authentication or exploitation, no authentication is required, and the attacker can specify arbitrary email addresses as recipients, making the server send emails on behalf of the site [1].

The impact is that the site can be abused server can be used to send spam or phishing emails, potentially damaging the site's reputation and reputation of the site owner and leading to blacklisting of the server's IP address. This can also facilitate further social engineering attacks against recipients who trust emails originating from the compromised domain [1].

A fix was released in version 3.30 of the theme, as noted in the official changelog under the entry for December 18, 2025, which states "Addressed a security issue reported by Wordfence." Users are strongly advised to update to version 3.30 or later to mitigate this vulnerability [1].