vulnerability

WordPress Theme: kalium: CVE-2025-12895: Missing Authorization

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
5	(AV:N/AC:L/Au:N/C:N/I:P/A:N)	Jan 15, 2026	Jan 15, 2026	Jan 16, 2026

Severity

CVSS

(AV:N/AC:L/Au:N/C:N/I:P/A:N)

Published

Jan 15, 2026

Added

Jan 15, 2026

Modified

Jan 16, 2026

Description

The Kalium 3 | Creative WordPress and WooCommerce Theme theme for WordPress is vulnerable to unauthorized email sending due to a missing capability check on the kalium_vc_contact_form_request() function in all versions up to, and including, 3.29. This makes it possible for unauthenticated attackers to use the theme an an open mail relay and send email to arbitrary email addresses on the server's behalf.

Solution

kalium-theme-cve-2025-12895

References

URL-https://www.cve.org/CVERecord?id=CVE-2025-12895
URL-https://www.wordfence.com/threat-intel/vulnerabilities/id/0e65a794-1901-4e54-be4f-9422fe444057?source=api-prod
CVE-2025-12895
https://attackerkb.com/topics/CVE-2025-12895
CWE-862

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today