CVE-2025-62018

Vulnerability

Overview

The KALLYAS WordPress theme (versions up to and including 4.22.0) contains a missing authorization vulnerability, classified as a broken access control issue [1]. This means that certain functions within the theme do not properly verify whether the requesting user has the necessary permissions, allowing unauthenticated or low-privileged users to execute actions that should be restricted to higher-privileged roles.

Exploitation

Attackers can exploit this vulnerability without requiring any authentication, as the missing authorization check leaves privileged endpoints exposed [1]. The vulnerability is actively used in mass-exploit campaigns, where attackers target thousands of websites regardless of their size or popularity [1]. No special network position or additional prerequisites are needed beyond the ability to send HTTP requests to the vulnerable theme.

Impact

Successful exploitation grants an attacker unauthorized access to higher-privileged functionality within the WordPress site. This could lead to site compromise, including data theft, defacement, or further escalation of privileges [1]. The CVSS score of 5.3 (Medium) reflects the potential for significant impact without requiring complex attack vectors.

Mitigation

Users are strongly advised to update the KALLYAS theme to a patched version as soon as possible [1]. If an update is not immediately available, contacting the hosting provider or a web developer for assistance is recommended [1]. No workarounds are mentioned in the advisory, so updating is the primary mitigation.