CVE-2025-6988: 
WordPress vulnerability analysis and mitigation

The kallyas theme for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-6988) affecting all versions up to and including 4.23.0. The vulnerability was publicly disclosed on October 31, 2025, and received a CVSS v3 base score of 6.4 (Medium) (AttackerKB, Tenable).

The vulnerability exists due to insufficient input sanitization and output escaping on user-supplied attributes in several of the plugin's shortcodes. The vulnerability requires an authenticated user with contributor-level access or higher privileges to exploit. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N, indicating network attack vector, low attack complexity, low privileges required, no user interaction, changed scope, and low impact on confidentiality and integrity (AttackerKB).

When successfully exploited, this vulnerability allows authenticated attackers to inject arbitrary web scripts into pages that will execute whenever a user accesses an injected page. This can lead to potential theft of sensitive information or manipulation of page content (Tenable).

The vulnerability has been patched in version 4.24.0 of the Kallyas theme. Users are advised to update to this version or later to mitigate the risk (Hogash Changelog).