Description
The The Woodmart theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8.2.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode through the woodmart_get_products_shortcode() function. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
Published: 2025-07-08
Score: 7.3 High
EPSS: 1.3% Low
KEV: No
Impact: Remote Code Execution via Shortcodes
Action: Immediate Patch
AI Analysis

Impact

The Woodmart WordPress theme is vulnerable to arbitrary shortcode execution when the woodmart_get_products_shortcode() function calls do_shortcode without validating its input. This flaw, a CWE‑94 code‑generation vulnerability, permits any unauthenticated user to inject malicious shortcodes that are processed by WordPress, potentially enabling remote code execution or other disruptive actions on the site.

Affected Systems

The vulnerability affects the Woodmart theme version 8.2.3 and all earlier releases. Any WordPress site that has not upgraded beyond 8.2.3 is at risk. The affected component is identified by the CPE string indicating the Woodmart theme installed on a WordPress environment.

Risk and Exploitability

The CVSS score of 7.3 indicates a high severity, though the EPSS score is less than 1% and the vulnerability is not listed in the CISA KEV catalog. Attackers would target the theme via unauthenticated HTTP requests to the WordPress site, supplying crafted shortcode payloads. Given the lack of authentication requirements and the high potential impact, the threat remains significant while the likelihood of exploitation remains low according to EPSS.

Generated by OpenCVE AI on April 20, 2026 at 22:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Woodmart theme to the latest version (greater than 8.2.3).
  • If an immediate upgrade is not possible, remove or disable the woodmart_get_products_shortcode() function or any custom shortcode handling in the theme.
  • As a temporary measure, restrict or block the execution of shortcodes on public pages by setting the WordPress configuration to disable do_shortcode for unauthenticated users.

Generated by OpenCVE AI on April 20, 2026 at 22:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-20414 The The Woodmart theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8.2.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode through the woodmart_get_products_shortcode() function. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
History

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00145}

 epss

{'score': 0.00191}

Wed, 09 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Xtemos
Xtemos woodmart
CPEs cpe:2.3:a:xtemos:woodmart:*:*:*:*:*:wordpress:*:*
Vendors & Products Xtemos
Xtemos woodmart

Tue, 08 Jul 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 08 Jul 2025 09:45:00 +0000

Type Values Removed Values Added
Description The The Woodmart theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8.2.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode through the woodmart_get_products_shortcode() function. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
Title Woodmart <= 8.2.3 - Unauthenticated Arbitrary Shortcode Execution
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
Xtemos Woodmart
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:27:56.203Z

Reserved: 2025-06-26T18:09:26.679Z

Link: CVE-2025-6744

cve-icon Vulnrichment

Updated: 2025-07-08T14:16:17.738Z

cve-icon NVD

Status : Analyzed

Published: 2025-07-08T10:15:22.947

Modified: 2025-07-09T13:47:24.530

Link: CVE-2025-6744

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T22:30:19Z

Weaknesses