cbcvebase.

Hogash Kallyas Creative Ecommerce Multi-Purpose Wordpress Theme vulnerabilities

4 known vulnerabilities affecting hogash/kallyas_creative_ecommerce_multi-purpose_wordpress_theme.

Total CVEs
4
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH3MEDIUM1

Vulnerabilities

Page 1 of 1
CVE-2025-6990P2HIGHCVSS 8.8≤ 4.24.02025-11-01
CVE-2025-6990 [HIGH] CWE-94 CVE-2025-6990: The kallyas theme for WordPress is vulnerable to Remote Code Execution in all versions up to, and in The kallyas theme for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.24.0 via the `TH_PhpCode` pagebuilder widget. This is due to the theme not restricting access to the code editor widget for non-administrators. This makes it possible for authenticated attackers, with Contributor-level access and above, to execu
nvd
CVE-2025-6989P3HIGHCVSS 8.1≤ 4.21.02025-07-26
CVE-2025-6989 [HIGH] CWE-22 CVE-2025-6989: The Kallyas theme for WordPress is vulnerable to arbitrary folder deletion due to insufficient file The Kallyas theme for WordPress is vulnerable to arbitrary folder deletion due to insufficient file path validation in the delete_font() function in all versions up to, and including, 4.21.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary folders on the server.
nvd
CVE-2025-6991P3HIGHCVSS 7.5≤ 4.21.02025-07-26
CVE-2025-6991 [HIGH] CWE-98 CVE-2025-6991: The kallyas theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and inc The kallyas theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.21.0 via the 'TH_LatestPosts4` widget. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files.
nvd
CVE-2025-6988P4MEDIUMCVSS 6.4≤ 4.23.02025-11-01
CVE-2025-6988 [MEDIUM] CWE-79 CVE-2025-6988: The kallyas theme for WordPress is vulnerable to Stored Cross-Site Scripting via several of the plug The kallyas theme for WordPress is vulnerable to Stored Cross-Site Scripting via several of the plugin's shortcodes in all versions up to, and including, 4.23.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject ar
nvd
Hogash Kallyas Creative Ecommerce Multi-Purpose Wordpress Theme vulnerabilities | cvebase