CVE-2025-63061

The KALLYAS WordPress theme suffers from a DOM-Based Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This security flaw allows an attacker to inject arbitrary JavaScript code that executes within the context of a victim's browser when they interact with a crafted page or link.

Exploitation requires user interaction, such as clicking a malicious link or visiting a specially crafted page. While the vulnerability can be initiated by a low-privileged user, successful exploitation typically requires a privileged user to perform an action, making it a risk for site administrators and editors [1]. The attacker does not need direct access to the server; instead, they rely on luring a victim into triggering the payload.

If exploited, an attacker can inject malicious scripts that may redirect visitors to malicious sites, display unwanted advertisements, or steal sensitive information. This type of vulnerability is often used in mass-exploit campaigns targeting thousands of WordPress sites, regardless of their popularity or traffic size [1].

The vulnerability has been addressed in version 4.25.0 of the KALLYAS theme. Users are strongly advised to update immediately to mitigate the risk. If updating is not possible, consider contacting your hosting provider or a web developer for assistance [1].