19.9.8
CVE-2025-7366 describes an arbitrary shortcode execution vulnerability discovered in the REHub - Price Comparison, Multi Vendor Marketplace WordPress theme. This flaw allows unauthenticated attackers to execute arbitrary shortcodes, potentially leading to website defacement, data theft, or complete compromise. The vulnerability impacts versions from 0.0.0 through 19.9.7, and a patch is available in version 19.9.8.
The ability to execute arbitrary shortcodes grants an attacker significant control over the affected WordPress site. They could inject malicious content, redirect users to phishing sites, steal sensitive data stored within the website's database, or even gain remote code execution capabilities depending on the available shortcodes and their configurations. This vulnerability bypasses authentication, meaning any external user can trigger the shortcode execution. The impact is particularly severe for e-commerce sites using REHub, as attackers could manipulate product pricing, redirect customers, or steal payment information. This is similar to other shortcode vulnerabilities where attackers leverage the shortcode functionality to execute malicious code.
CVE-2025-7366 was publicly disclosed on 2025-09-06. There are currently no known public exploits or active campaigns targeting this vulnerability, but the ease of exploitation makes it a likely target. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept code is expected to emerge given the vulnerability's nature.
Websites using the REHub WordPress theme, particularly those running versions 0.0.0 through 19.9.7, are at risk. E-commerce sites and those handling sensitive user data are especially vulnerable due to the potential for data theft and manipulation. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r 'do_shortcode' /var/www/html/wp-content/themes/rehub/• wordpress / composer / npm:
wp plugin list | grep rehub• wordpress / composer / npm:
wp theme list | grep rehub• generic web: Check for unusual shortcodes being executed on the website by inspecting the HTML source code and looking for unexpected shortcode tags.
disclosure
漏洞利用状态
EPSS
0.29% (52% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation is to immediately upgrade the REHub WordPress theme to version 19.9.8 or later. If upgrading is not immediately possible due to compatibility issues or breaking changes, consider temporarily restricting access to the shortcode functionality that is vulnerable. WordPress administrators should review all shortcodes in use and ensure they are properly sanitized and validated. Implement a Web Application Firewall (WAF) with rules to block suspicious shortcode execution attempts. Monitor WordPress logs for unusual shortcode activity, specifically looking for unexpected or unauthorized shortcodes being triggered.
Actualice el tema REHub a la versión 19.9.8 o superior para mitigar la vulnerabilidad de ejecución arbitraria de shortcodes. Esta actualización aborda la falta de validación adecuada de los valores antes de ejecutar la función do_shortcode, previniendo la ejecución no autorizada de shortcodes por parte de atacantes no autenticados.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-7366 is a HIGH severity vulnerability in the REHub WordPress theme allowing unauthenticated attackers to execute arbitrary shortcodes due to insufficient input validation.
You are affected if you are using the REHub WordPress theme versions 0.0.0 through 19.9.7. Upgrade to 19.9.8 or later to mitigate the risk.
Upgrade the REHub WordPress theme to version 19.9.8 or later. If immediate upgrade is not possible, restrict access to the vulnerable shortcode functionality.
There are currently no known active exploits, but the vulnerability's ease of exploitation makes it a potential target.
Refer to the REHub theme developer's website or WordPress plugin repository for the official advisory and update information.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。