CVE-2025-63060

Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in the hogash KALLYAS WordPress theme, affecting versions from n/a through 4.24.x. The issue stems from insufficient CSRF protection, allowing a malicious actor to craft requests that can be executed under the authentication of a privileged user [1].

Exploitation

To exploit this vulnerability, an attacker must trick a logged-in user with elevated privileges (e.g., an administrator) into clicking a malicious link, visiting a crafted page, or submitting a specially designed form. No direct network access to the victim's site is required beyond inducing the user action [1]. User interaction is a prerequisite for successful exploitation.

Impact

An attacker can force the victim's browser to perform unintended actions on the WordPress site, such as changing settings, creating new admin accounts, or modifying content, while the victim is authenticated. This could lead to partial compromise of site integrity and confidentiality, though the CVSS score (4.3, Medium) reflects a low severity impact and limited likelihood of exploitation [1].

Mitigation

The vulnerability has been addressed in version 4.25.0 of the KALLYAS theme. Users are strongly advised to update to this version or later. If an immediate update is not possible, contacting a hosting provider or web developer for assistance is recommended. The vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog [1].