Scan free
HIGHCVE-2025-6744CVSS 7.3

CVE-2025-6744: Arbitrary Shortcode in Woodmart WordPress Theme

Platform

wordpress

Component

woodmart

Fixed in

8.2.4

AI Confidence: highNVDEPSS 0.5%Reviewed: May 2026
View on NVD
Save

CVE-2025-6744 describes an arbitrary shortcode execution vulnerability discovered in the Woodmart WordPress theme. This flaw allows unauthenticated attackers to inject and execute malicious shortcodes, potentially leading to website defacement, data theft, or complete compromise. The vulnerability impacts versions 0.0.0 through 8.2.3 of the Woodmart theme, and a patch is available in version 8.2.4.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

The impact of this vulnerability is significant. An attacker can leverage it to execute arbitrary PHP code through shortcodes, effectively gaining control over the affected WordPress website. This could involve injecting malicious content, stealing sensitive data stored within the WordPress database, or even installing backdoors for persistent access. The ability to execute arbitrary shortcodes bypasses standard WordPress security measures, making this a particularly dangerous vulnerability. Exploitation could lead to a complete takeover of the website and compromise of any associated user data or services.

Exploitation Context

CVE-2025-6744 was publicly disclosed on 2025-07-08. No known public proof-of-concept exploits are currently available, but the ease of shortcode injection suggests a high likelihood of exploitation if left unpatched. The vulnerability is not currently listed on the CISA KEV catalog. Active campaigns targeting WordPress themes are common, so vigilance is advised.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.47% (64% percentile)

CISA SSVC

Exploitationnone
Automatableyes
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L7.3HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityLowRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityLowRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
Low — partial or indirect data access. Attacker gains limited information.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
Low — partial or intermittent denial of service. Attacker can degrade performance.

Affected Software

Componentwoodmart
VendorxTemos
Affected rangeFixed in
0.0.0 – 8.2.38.2.4

Weakness Classification (CWE)

CWE-94

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation is to immediately upgrade the Woodmart WordPress theme to version 8.2.4 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the woodmartgetproducts_shortcode() function. While not a complete fix, this can reduce the attack surface. Monitor WordPress plugin activity logs for any suspicious shortcode executions. Implement a Web Application Firewall (WAF) with rules to block potentially malicious shortcode patterns. After upgrading, verify the fix by attempting to execute a known malicious shortcode and confirming it is blocked.

How to fix

Actualice el tema Woodmart a la versión 8.2.4 o superior para mitigar la vulnerabilidad de ejecución arbitraria de shortcodes. Esta actualización corrige la validación incorrecta de los valores antes de ejecutar la función `woodmart_get_products_shortcode()`, previniendo la ejecución no autorizada de shortcodes.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-6744 — Arbitrary Shortcode in Woodmart WordPress Theme?

CVE-2025-6744 is a HIGH severity vulnerability allowing unauthenticated attackers to execute arbitrary shortcodes in Woodmart WordPress themes versions 0.0.0–8.2.3 due to improper input validation.

Am I affected by CVE-2025-6744 in Woodmart WordPress Theme?

If you are using Woodmart WordPress theme versions 0.0.0 through 8.2.3, you are potentially affected by this vulnerability. Check your theme version immediately.

How do I fix CVE-2025-6744 in Woodmart WordPress Theme?

Upgrade the Woodmart WordPress theme to version 8.2.4 or later to remediate the vulnerability. If immediate upgrade is not possible, consider temporary restrictions on shortcode execution.

Is CVE-2025-6744 being actively exploited?

While no public exploits are currently known, the ease of exploitation suggests a high likelihood of exploitation if left unpatched. Monitor your website for suspicious activity.

Where can I find the official Woodmart advisory for CVE-2025-6744?

Refer to the official Woodmart theme website or WordPress plugin repository for the latest advisory and update information regarding CVE-2025-6744.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs