CVE-2025-12895
📋 TL;DR
This vulnerability allows unauthenticated attackers to use the Kalium WordPress theme as an open mail relay, sending emails from the server without authorization. It affects all WordPress sites using Kalium theme versions up to 3.29. Attackers can send spam, phishing emails, or conduct email-based attacks using the compromised server's reputation.
💻 Affected Systems
- Kalium 3 | Creative WordPress & WooCommerce Theme
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Server becomes part of spam/phishing campaigns, gets blacklisted by email providers, and organization faces reputational damage and potential legal liability for malicious emails sent from their infrastructure.
Likely Case
Attackers send spam emails or phishing campaigns using the server's legitimate email infrastructure, potentially leading to email blacklisting and increased server load.
If Mitigated
Limited to email sending abuse without direct server compromise, but still risks email deliverability and reputation damage.
🎯 Exploit Status
The vulnerability requires no authentication and involves simple HTTP requests to trigger email sending functionality.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 3.30 or later
Vendor Advisory: https://documentation.laborator.co/kb/kalium/kalium-changelog/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Appearance > Themes. 3. Click on Kalium theme. 4. Click 'Update Now' if update is available. 5. Alternatively, download latest version from ThemeForest and manually update.
🔧 Temporary Workarounds
Disable vulnerable function via plugin
allCreate a custom plugin to remove or disable the vulnerable kalium_vc_contact_form_request() function
Create a PHP file with: remove_action('wp_ajax_kalium_vc_contact_form_request', 'kalium_vc_contact_form_request'); remove_action('wp_ajax_nopriv_kalium_vc_contact_form_request', 'kalium_vc_contact_form_request');
Web application firewall rule
linuxBlock requests to the vulnerable endpoint using WAF or .htaccess rules
Add to .htaccess: RewriteCond %{QUERY_STRING} action=kalium_vc_contact_form_request [NC] RewriteRule ^ - [F,L]
🧯 If You Can't Patch
- Switch to a different WordPress theme temporarily
- Disable the Kalium theme entirely and use default WordPress theme
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Appearance > Themes for Kalium theme version. If version is 3.29 or lower, you are vulnerable.Check Version:
Check WordPress admin panel or view theme's style.css file headerVerify Fix Applied:
After updating, verify Kalium theme version shows 3.30 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual volume of POST requests to /wp-admin/admin-ajax.php with action=kalium_vc_contact_form_request
- Spike in outbound email traffic from web server
- Failed email delivery notifications for emails not sent by legitimate users
Network Indicators:
- HTTP POST requests to admin-ajax.php with kalium_vc_contact_form_request parameter
- Unusual SMTP traffic originating from web server
SIEM Query:
source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND method="POST" AND query="*kalium_vc_contact_form_request*"