The WoodMart WordPress theme contains an improper neutralization of script‑related HTML tags in its shortcode handling logic. This basic XSS flaw (CWE‑80) permits an attacker to inject malicious code that is rendered when a shortcode is processed. The injected payload can execute in the context of the site visitor’s browser, facilitating session hijacking, credential theft, or other client‑side attacks. Because the vulnerability is a code‑injection vector, highly privileged users or content editors who can add or modify shortcodes have the opportunity to trigger it.

WordPress sites that are running the xtemos WoodMart theme version 8.3.7 or earlier are affected. No specific operating system or plugin versions are enumerated beyond the theme itself, so the issue is confined to WordPress installations utilizing those version numbers.

The flaw is scored CVSS 5.3, indicating moderate severity. The EPSS score of less than 1% suggests that current exploitation attempts are rare, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, the attack vector is relatively straightforward: a content creator or administrator who can insert or edit shortcodes may embed the malicious script, causing it to run when any visitor renders the page. Even with the low exploitation probability, the potential impact on user data and site reputation warrants prompt action. Because the description does not explicitly state the attack vector, it is inferred that an attacker who can add or edit shortcodes is the likely vector.