CVE-2025-8097
📋 TL;DR
The WoodMart WordPress theme has an input validation vulnerability that allows unauthenticated attackers to manipulate shopping cart quantities using fractional values. By setting extremely small quantities (e.g., 0.00001), attackers can bypass payment requirements and obtain virtual or downloadable products for free. All WordPress sites using WoodMart theme versions up to 8.2.6 are affected.
💻 Affected Systems
- WoodMart WordPress Theme
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain unlimited free virtual/digital products, causing financial loss and inventory depletion for e-commerce businesses.
Likely Case
Attackers exploit the vulnerability to download paid digital products (software, media, documents) without payment.
If Mitigated
With proper input validation and monitoring, exploitation attempts are detected and blocked before successful theft.
🎯 Exploit Status
Exploitation requires minimal technical skill - attackers can manipulate cart via simple HTTP requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.2.7 or later
Vendor Advisory: https://themeforest.net/item/woodmart-woocommerce-wordpress-theme/20264492
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Appearance > Themes
3. Update WoodMart theme to version 8.2.7 or later
4. Clear any caching plugins/CDN caches
🔧 Temporary Workarounds
Input Validation Filter
allAdd custom PHP filter to validate cart quantity parameters before processing
Add to theme's functions.php:
add_filter('woocommerce_update_cart_validation', function($valid, $cart_item_key, $values, $quantity) {
if (!is_numeric($quantity) || $quantity <= 0 || floor($quantity) != $quantity) {
wc_add_notice(__('Invalid quantity specified', 'woocommerce'), 'error');
return false;
}
return $valid;
}, 10, 4);
🧯 If You Can't Patch
- Disable cart quantity updates for unauthenticated users via WooCommerce settings
- Temporarily disable virtual/downloadable product sales until patching is possible
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Appearance > Themes for WoodMart version. If version is 8.2.6 or lower, site is vulnerable.Check Version:
wp theme list --name=woodmart --field=versionVerify Fix Applied:
After updating, verify WoodMart theme version shows 8.2.7 or higher in WordPress admin.📡 Detection & Monitoring
Log Indicators:
- WooCommerce cart update requests with fractional quantity values
- Multiple failed payment attempts with $0.00 totals
- Unusual download patterns for paid digital products
Network Indicators:
- POST requests to /cart/ with qty parameter containing decimal values
- Multiple cart updates from same IP with varying fractional quantities
SIEM Query:
source="wordpress" AND (uri_path="/cart/" OR uri_path="/checkout/") AND (http_method="POST" OR http_method="PUT") AND (query_string CONTAINS "qty=0." OR query_string CONTAINS "quantity=0.")