Platform
wordpress
Component
woodmart
Fixed in
8.2.4
CVE-2025-6744 describes an arbitrary shortcode execution vulnerability discovered in the Woodmart WordPress theme. This flaw allows unauthenticated attackers to inject and execute malicious shortcodes, potentially leading to website defacement, data theft, or complete compromise. The vulnerability impacts versions 0.0.0 through 8.2.3 of the Woodmart theme, and a patch is available in version 8.2.4.
The impact of this vulnerability is significant. An attacker can leverage it to execute arbitrary PHP code through shortcodes, effectively gaining control over the affected WordPress website. This could involve injecting malicious content, stealing sensitive data stored within the WordPress database, or even installing backdoors for persistent access. The ability to execute arbitrary shortcodes bypasses standard WordPress security measures, making this a particularly dangerous vulnerability. Exploitation could lead to a complete takeover of the website and compromise of any associated user data or services.
CVE-2025-6744 was publicly disclosed on 2025-07-08. No known public proof-of-concept exploits are currently available, but the ease of shortcode injection suggests a high likelihood of exploitation if left unpatched. The vulnerability is not currently listed on the CISA KEV catalog. Active campaigns targeting WordPress themes are common, so vigilance is advised.
Exploit Status
EPSS
0.47% (64% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade the Woodmart WordPress theme to version 8.2.4 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the woodmartgetproducts_shortcode() function. While not a complete fix, this can reduce the attack surface. Monitor WordPress plugin activity logs for any suspicious shortcode executions. Implement a Web Application Firewall (WAF) with rules to block potentially malicious shortcode patterns. After upgrading, verify the fix by attempting to execute a known malicious shortcode and confirming it is blocked.
Actualice el tema Woodmart a la versión 8.2.4 o superior para mitigar la vulnerabilidad de ejecución arbitraria de shortcodes. Esta actualización corrige la validación incorrecta de los valores antes de ejecutar la función `woodmart_get_products_shortcode()`, previniendo la ejecución no autorizada de shortcodes.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-6744 is a HIGH severity vulnerability allowing unauthenticated attackers to execute arbitrary shortcodes in Woodmart WordPress themes versions 0.0.0–8.2.3 due to improper input validation.
If you are using Woodmart WordPress theme versions 0.0.0 through 8.2.3, you are potentially affected by this vulnerability. Check your theme version immediately.
Upgrade the Woodmart WordPress theme to version 8.2.4 or later to remediate the vulnerability. If immediate upgrade is not possible, consider temporary restrictions on shortcode execution.
While no public exploits are currently known, the ease of exploitation suggests a high likelihood of exploitation if left unpatched. Monitor your website for suspicious activity.
Refer to the official Woodmart theme website or WordPress plugin repository for the latest advisory and update information regarding CVE-2025-6744.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.