CVE-2025-6990

Name of the Vulnerable Software and Affected Versions kallyas versions prior to 4.24.0

Description The kallyas theme for WordPress is susceptible to Remote Code Execution through the TH PhpCode pagebuilder widget. The issue arises because the theme does not restrict access to the code editor widget for users who are not administrators. This allows authenticated attackers with Contributor-level access or higher to execute code on the server. The TH PhpCode widget is the specific component involved in this issue.

Recommendations Update kallyas to version 4.24.0 or later.