Description
The WoodMart plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 8.2.3 via the 'layout' attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php files can be uploaded and included.
Published: 2025-07-08
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Execution of arbitrary PHP code via Local File Inclusion
Action: Apply Patch
AI Analysis

Impact

The WoodMart WordPress theme contains a Local File Inclusion vulnerability in all versions up to 8.2.3 through the 'layout' attribute. An authenticated user with Contributor level or higher can cause the WordPress instance to include and execute arbitrary .php files on the server, enabling any PHP code present to run. This allows attackers to bypass existing access controls, disclose sensitive information, and achieve full code execution if executable files can be placed in or pointed to on the system. The flaw is classified as CWE‑98.

Affected Systems

The vulnerability affects the xTemos WoodMart WordPress theme for versions 8.2.3 and earlier. Any WordPress site using this theme version can be impacted.

Risk and Exploitability

The CVSS score is 8.8, indicating a high severity risk. The EPSS score is under 1% which suggests a low probability of exploitation in the wild at this time, and the vulnerability is not listed in CISA KEV catalogs. Exploitation requires a valid Contributor‑level or higher authenticated session and either the ability to upload or point to a .php file that can be included by the vulnerable parameter. If these conditions are met, the attacker can run arbitrary PHP, achieving complete compromise of the affected server.

Generated by OpenCVE AI on April 21, 2026 at 19:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest version of the WoodMart theme (8.2.4 or later) which fixes the LFI flaw.
  • If an upgrade is not immediately possible, disable the 'layout' functionality by restricting the parameter to a safe directory or blocking its use through web‑server rules.
  • Restrict upload capabilities for Contributor accounts and prevent PHP execution in directories that can be targeted by the 'layout' parameter.

Generated by OpenCVE AI on April 21, 2026 at 19:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-20411 The WoodMart plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 8.2.3 via the 'layout' attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php files can be uploaded and included.
History

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00086}

 epss

{'score': 0.00087}

Wed, 09 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Xtemos
Xtemos woodmart
CPEs cpe:2.3:a:xtemos:woodmart:*:*:*:*:*:wordpress:*:*
Vendors & Products Xtemos
Xtemos woodmart

Tue, 08 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 08 Jul 2025 07:00:00 +0000

Type Values Removed Values Added
Description The WoodMart plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 8.2.3 via the 'layout' attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php files can be uploaded and included.
Title WoodMart <= 8.2.3 - Authenticated (Contributor+) Local File Inclusion
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
Xtemos Woodmart
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:10:44.415Z

Reserved: 2025-06-26T18:22:26.347Z

Link: CVE-2025-6746

cve-icon Vulnrichment

Updated: 2025-07-08T13:40:23.578Z

cve-icon NVD

Status : Analyzed

Published: 2025-07-08T07:15:26.587

Modified: 2025-07-09T13:49:30.467

Link: CVE-2025-6746

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T20:00:25Z

Weaknesses