Platform
wordpress
Component
rehub
Fixed in
19.9.8
CVE-2025-7366 describes an arbitrary shortcode execution vulnerability discovered in the REHub - Price Comparison, Multi Vendor Marketplace WordPress theme. This flaw allows unauthenticated attackers to execute arbitrary shortcodes, potentially leading to website defacement, data theft, or complete compromise. The vulnerability impacts versions from 0.0.0 through 19.9.7, and a patch is available in version 19.9.8.
The ability to execute arbitrary shortcodes grants an attacker significant control over the affected WordPress site. They could inject malicious content, redirect users to phishing sites, steal sensitive data stored within the website's database, or even gain remote code execution capabilities depending on the available shortcodes and their configurations. This vulnerability bypasses authentication, meaning any external user can trigger the shortcode execution. The impact is particularly severe for e-commerce sites using REHub, as attackers could manipulate product pricing, redirect customers, or steal payment information. This is similar to other shortcode vulnerabilities where attackers leverage the shortcode functionality to execute malicious code.
CVE-2025-7366 was publicly disclosed on 2025-09-06. There are currently no known public exploits or active campaigns targeting this vulnerability, but the ease of exploitation makes it a likely target. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept code is expected to emerge given the vulnerability's nature.
Exploit Status
EPSS
0.29% (52% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade the REHub WordPress theme to version 19.9.8 or later. If upgrading is not immediately possible due to compatibility issues or breaking changes, consider temporarily restricting access to the shortcode functionality that is vulnerable. WordPress administrators should review all shortcodes in use and ensure they are properly sanitized and validated. Implement a Web Application Firewall (WAF) with rules to block suspicious shortcode execution attempts. Monitor WordPress logs for unusual shortcode activity, specifically looking for unexpected or unauthorized shortcodes being triggered.
Actualice el tema REHub a la versión 19.9.8 o superior para mitigar la vulnerabilidad de ejecución arbitraria de shortcodes. Esta actualización aborda la falta de validación adecuada de los valores antes de ejecutar la función do_shortcode, previniendo la ejecución no autorizada de shortcodes por parte de atacantes no autenticados.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-7366 is a HIGH severity vulnerability in the REHub WordPress theme allowing unauthenticated attackers to execute arbitrary shortcodes due to insufficient input validation.
You are affected if you are using the REHub WordPress theme versions 0.0.0 through 19.9.7. Upgrade to 19.9.8 or later to mitigate the risk.
Upgrade the REHub WordPress theme to version 19.9.8 or later. If immediate upgrade is not possible, restrict access to the vulnerable shortcode functionality.
There are currently no known active exploits, but the vulnerability's ease of exploitation makes it a potential target.
Refer to the REHub theme developer's website or WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.