CVE-2025-6989

High

Published: 26 July 2025

Published

26 July 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

EPSS Score 0.0014 33.7th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-6989 is a high-severity Path Traversal (CWE-22) vulnerability in Themeforest (inferred from references). Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly addresses the insufficient file path validation in delete_font() that enables path traversal for arbitrary folder deletion.

AC-6 Least Privilege good match

prevent

Enforces least privilege to prevent Contributor-level users from performing arbitrary folder deletions beyond their authorized scope.

AC-3 Access Enforcement good match

prevent

Mandates enforcement of access controls to block unauthorized logical access and deletions of server folders.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1070.004 File Deletion Stealth

Adversaries may delete files left behind by the actions of their intrusion activity.

attack.mitre.org →

T1485 Data Destruction Impact

Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.

attack.mitre.org →

Why these techniques?

Path traversal deletion in public-facing WordPress component directly enables remote exploitation (T1190) and arbitrary folder removal for indicator wiping or data destruction (T1070.004, T1485).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

The Kallyas theme for WordPress is vulnerable to arbitrary folder deletion due to insufficient file path validation in the delete_font() function in all versions up to, and including, 4.21.0. This makes it possible for authenticated attackers, with Contributor-level access and…

above, to delete arbitrary folders on the server.

Deeper analysisAI

CVE-2025-6989 is a vulnerability in the Kallyas theme for WordPress, affecting all versions up to and including 4.21.0. It arises from insufficient file path validation in the delete_font() function, enabling arbitrary folder deletion on the server. The issue carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H) and maps to CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). The CVE was published on 2025-07-26T08:15:26.160.

Authenticated attackers with Contributor-level access or higher can exploit this vulnerability remotely with low complexity and no user interaction. Exploitation allows deletion of arbitrary folders on the server, resulting in high impacts to integrity and availability, though confidentiality remains unaffected.

Advisories providing further details and potential mitigation steps are available from Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/9a8a3607-4f2e-44fb-8141-75f7620508d4?source=cve and the Kallyas theme page on ThemeForest at https://themeforest.net/item/kallyas-responsive-multipurpose-wordpress-theme/4091658.