CVE-2025-63060

MEDIUM
2025-12-09 [email protected]
4.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Dec 09, 2025 - 16:18 nvd
MEDIUM 4.3

Tags

CSRF

Description

Cross-Site Request Forgery (CSRF) vulnerability in hogash KALLYAS kallyas allows Cross Site Request Forgery.This issue affects KALLYAS: from n/a through < 4.25.0.

Analysis

Cross-site request forgery in KALLYAS WordPress theme versions before 4.25.0 allows authenticated attackers to perform unauthorized actions on behalf of legitimate users without their knowledge or consent. The vulnerability requires user interaction (UI:N indicates no additional user interaction beyond authentication) and affects only confidentiality with low impact. While CVSS scores 4.3 (medium severity), the EPSS score of 0.02% (5th percentile) indicates minimal real-world exploitation likelihood despite public awareness.

Technical Context

CSRF vulnerabilities (CWE-352) occur when a web application fails to validate that state-changing requests originate from the authenticated user rather than an attacker-controlled third party. In KALLYAS, a WordPress theme built on server-side rendering and form handling, an authenticated attacker can craft malicious links or pages that trigger unintended actions (such as theme modifications or content changes) when visited by legitimate administrators or users. The vulnerability requires the victim to already be authenticated to the WordPress site, limiting the attack surface to logged-in users. WordPress theme vulnerabilities of this type typically involve missing or improperly validated nonce fields in form submissions.

Affected Products

KALLYAS WordPress theme versions from an unspecified baseline through 4.24.9 are affected. The vulnerability is fixed in KALLYAS version 4.25.0 and later. Affected installations can be identified by the hogash KALLYAS theme CPE (wordpress:kallyas_theme). Users running KALLYAS below version 4.25.0 should assume vulnerability; no intermediate patch versions are documented.

Remediation

Update KALLYAS to version 4.25.0 or later immediately via the WordPress theme update mechanism (Appearance > Themes > Updates in the WordPress admin dashboard, or direct theme manager tools). Vendors should apply the patch referenced in the Patchstack security advisory (https://patchstack.com/database/Wordpress/Theme/kallyas/vulnerability/wordpress-kallyas-theme-4-2-cross-site-request-forgery-csrf-vulnerability). As an interim measure before patching, administrators should limit authenticated user permissions to the minimum required, monitor admin activity logs for unauthorized changes, and educate users about not clicking suspicious links while logged into WordPress.

Priority Score

22
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +22
POC: 0

Share

CVE-2025-63060 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy