CVE-2025-6988

Vulnerability

Overview

The Kallyas WordPress theme, up to version 4.23.0, contains a stored cross-site scripting (XSS) vulnerability in several of its shortcodes. The root cause is insufficient input sanitization and output escaping on user-supplied attributes, allowing malicious script content to be stored and later executed in the context of a victim's browser.

Exploitation

An attacker must be authenticated with at least contributor-level access to the WordPress site. By crafting a shortcode with a malicious attribute value, the attacker can inject arbitrary JavaScript or HTML. When any user (including administrators) visits a page containing the injected shortcode, the script executes. No additional privileges or network position are required beyond contributor access.

Impact

Successful exploitation enables the attacker to perform actions such as stealing session cookies, redirecting users to malicious sites, defacing pages, or performing other client-side attacks. The stored nature of the XSS means the payload persists until manually removed, affecting all subsequent visitors.

Mitigation

The vendor addressed this vulnerability in version 4.24.0, which includes improved security for the skills shortcode and other elements [1]. Version 4.25.0 further restricts contributor access to page builder features. Users are strongly advised to update to the latest version (4.25.0 or higher) to mitigate the risk.