CVE-2025-63061

MEDIUM
2025-12-09 [email protected]
XSS
6.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Dec 09, 2025 - 16:18 nvd
MEDIUM 6.5

DescriptionNVD

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hogash KALLYAS kallyas allows DOM-Based XSS.This issue affects KALLYAS: from n/a through < 4.25.0.

AnalysisAI

DOM-Based Cross-Site Scripting (XSS) in KALLYAS WordPress theme versions below 4.25.0 allows authenticated users with low privileges to inject malicious scripts that execute in the browsers of other users, potentially stealing session cookies, credentials, or performing unauthorized actions on their behalf. The vulnerability requires user interaction (clicking a malicious link) and affects the theme's web page generation routines. EPSS probability is 0.01% (very low), suggesting minimal real-world exploitation likelihood despite the moderate CVSS score of 6.5.

Technical ContextAI

This vulnerability exploits improper input neutralization during DOM manipulation in the KALLYAS WordPress theme, classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The theme fails to sanitize user-controlled input before inserting it into the DOM, allowing attackers to embed executable JavaScript code. WordPress themes are server-side PHP applications that generate HTML/CSS/JavaScript for client-side rendering; the DOM-based nature indicates the XSS payload executes on the client after page load rather than being reflected in the initial HTML response. The vulnerability likely resides in JavaScript event handlers or dynamic content injection routines within the theme's assets.

Affected ProductsAI

KALLYAS WordPress theme versions from initial release through 4.24.x are affected; vendor advisory confirms the fix is available in version 4.25.0 or later. The theme is distributed via WordPress.org and third-party marketplaces. CPE details are unavailable, but the product is identifiable as the KALLYAS theme by hogash, commonly referenced in WordPress plugin/theme vulnerability databases.

RemediationAI

Update KALLYAS to version 4.25.0 or later immediately through the WordPress dashboard (Appearance > Themes > Updates) or by downloading from the official WordPress theme directory. Site administrators should verify the update in wp-content/themes/kallyas/ to confirm version 4.25.0+ is installed. For sites unable to update immediately, disable the KALLYAS theme and switch to an alternative until the patch is applied. Review the official Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/kallyas/vulnerability/wordpress-kallyas-theme-4-22-0-cross-site-scripting-xss-vulnerability?_s_id=cve for additional context and confirmation of the fix.

Share

CVE-2025-63061 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy