平台
wordpress
组件
woodmart
修复版本
8.2.4
CVE-2025-6744 describes an arbitrary shortcode execution vulnerability discovered in the Woodmart WordPress theme. This flaw allows unauthenticated attackers to inject and execute malicious shortcodes, potentially leading to website defacement, data theft, or complete compromise. The vulnerability impacts versions 0.0.0 through 8.2.3 of the Woodmart theme, and a patch is available in version 8.2.4.
The impact of this vulnerability is significant. An attacker can leverage it to execute arbitrary PHP code through shortcodes, effectively gaining control over the affected WordPress website. This could involve injecting malicious content, stealing sensitive data stored within the WordPress database, or even installing backdoors for persistent access. The ability to execute arbitrary shortcodes bypasses standard WordPress security measures, making this a particularly dangerous vulnerability. Exploitation could lead to a complete takeover of the website and compromise of any associated user data or services.
CVE-2025-6744 was publicly disclosed on 2025-07-08. No known public proof-of-concept exploits are currently available, but the ease of shortcode injection suggests a high likelihood of exploitation if left unpatched. The vulnerability is not currently listed on the CISA KEV catalog. Active campaigns targeting WordPress themes are common, so vigilance is advised.
Websites using the Woodmart theme, particularly those running older versions (0.0.0 – 8.2.3), are at risk. Shared hosting environments where multiple websites share the same server are especially vulnerable, as a compromise of one site could potentially lead to the compromise of others. Sites relying on the Woodmart theme for critical functionality or e-commerce operations face the highest risk.
• wordpress / composer / npm:
grep -r 'woodmart_get_products_shortcode' /var/www/html/wp-content/themes/woodmart/• wordpress / composer / npm:
wp plugin list | grep woodmart• wordpress / composer / npm:
wp plugin update woodmart --alldisclosure
漏洞利用状态
EPSS
0.47% (64% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation is to immediately upgrade the Woodmart WordPress theme to version 8.2.4 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the woodmartgetproducts_shortcode() function. While not a complete fix, this can reduce the attack surface. Monitor WordPress plugin activity logs for any suspicious shortcode executions. Implement a Web Application Firewall (WAF) with rules to block potentially malicious shortcode patterns. After upgrading, verify the fix by attempting to execute a known malicious shortcode and confirming it is blocked.
Actualice el tema Woodmart a la versión 8.2.4 o superior para mitigar la vulnerabilidad de ejecución arbitraria de shortcodes. Esta actualización corrige la validación incorrecta de los valores antes de ejecutar la función `woodmart_get_products_shortcode()`, previniendo la ejecución no autorizada de shortcodes.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-6744 is a HIGH severity vulnerability allowing unauthenticated attackers to execute arbitrary shortcodes in Woodmart WordPress themes versions 0.0.0–8.2.3 due to improper input validation.
If you are using Woodmart WordPress theme versions 0.0.0 through 8.2.3, you are potentially affected by this vulnerability. Check your theme version immediately.
Upgrade the Woodmart WordPress theme to version 8.2.4 or later to remediate the vulnerability. If immediate upgrade is not possible, consider temporary restrictions on shortcode execution.
While no public exploits are currently known, the ease of exploitation suggests a high likelihood of exploitation if left unpatched. Monitor your website for suspicious activity.
Refer to the official Woodmart theme website or WordPress plugin repository for the latest advisory and update information regarding CVE-2025-6744.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。