CVE-2025-6744 – The Woodmart WordPress theme allows unauthentic... (How to Fix)

📋 TL;DR

The Woodmart WordPress theme allows unauthenticated attackers to execute arbitrary shortcodes due to insufficient input validation in the woodmart_get_products_shortcode() function. This affects all WordPress sites using Woodmart theme versions up to 8.2.3. Attackers can leverage WordPress shortcodes to perform various malicious actions.

💻 Affected Systems

Products:

Woodmart WordPress Theme

Versions: All versions up to and including 8.2.3

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress with Woodmart theme installed. No special configuration needed.

📦 What is this software?

Woodmart by Xtemos

View all CVEs affecting Woodmart →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete site takeover through shortcode execution leading to remote code execution, data exfiltration, or malware injection.

🟠

Likely Case

Content manipulation, privilege escalation, or injection of malicious scripts/redirects via WordPress shortcode capabilities.

🟢

If Mitigated

Limited impact if shortcode execution is restricted through security plugins or custom filters.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Attack requires sending crafted requests to vulnerable endpoints. No authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.2.4 or later

Vendor Advisory: https://themeforest.net/item/woodmart-woocommerce-wordpress-theme/20264492

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Appearance > Themes
3. Check for Woodmart theme updates
4. Update to version 8.2.4 or later
5. Clear any caching plugins/CDN caches

🔧 Temporary Workarounds

Disable vulnerable function

all

Remove or disable the woodmart_get_products_shortcode() function via theme modifications

Edit theme files to comment out or remove vulnerable function calls

Input validation filter

all

Add custom WordPress filter to validate shortcode parameters

Add custom PHP filter in functions.php or custom plugin

🧯 If You Can't Patch

Temporarily disable the Woodmart theme and switch to default WordPress theme
Implement WAF rules to block requests containing suspicious shortcode parameters

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Appearance > Themes for Woodmart version. If version is 8.2.3 or lower, system is vulnerable.

Check Version:

wp theme list --field=name,version --path=/path/to/wordpress

Verify Fix Applied:

Confirm Woodmart theme version is 8.2.4 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to WordPress endpoints with shortcode parameters
Multiple failed shortcode execution attempts in WordPress debug logs

Network Indicators:

HTTP requests containing crafted shortcode parameters to WordPress XML-RPC or REST API endpoints

SIEM Query:

source="wordpress.log" AND (woodmart_get_products_shortcode OR do_shortcode) AND status=200

📊 Metadata

CVE ID: CVE-2025-6744

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-94

EPSS Score: 0.43% exploit probability (62th percentile)

Published: July 8, 2025

Last Updated: July 9, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-6744, you might also want to check these: