Description
The WoodMart theme for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 8.2.6. This is due to insufficient validation of the qty parameter in the woodmart_update_cart_item function. This makes it possible for unauthenticated attackers to manipulate cart quantities using fractional values, allowing them to obtain products for free by setting extremely small quantities (e.g., 0.00001) that round cart totals to $0.00, effectively bypassing payment requirements and allowing unauthorized acquisition of virtual or downloadable products.
Published: 2025-07-26
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Cart Manipulation leading to Free Product Acquisition
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in improper input validation of the qty parameter within the woodmart_update_cart_item function in the WoodMart WooCommerce theme. By sending fractional values, attackers can reduce the effective quantity to negligible amounts that cause the cart total to round to $0.00, thereby allowing unauthenticated users to obtain virtual or downloadable products without payment. This flaw permits direct manipulation of the shopping cart without authentication, potentially leading to significant financial loss for site owners.

Affected Systems

The problem affects the WoodMart theme sold by xTemos for WordPress environments, specifically all releases up to and including version 8.2.6. Any WordPress site that has not applied a later update is susceptible to this issue.

Risk and Exploitability

The CVSS score of 5.3 places this flaw in the medium severity range, and the EPSS score of less than 1% indicates a low likelihood of exploitation under current conditions. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector is unauthenticated and relies on a public web interface, making it plausible for anyone to craft the needed request to manipulate the cart.

Generated by OpenCVE AI on April 20, 2026 at 22:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WoodMart theme to the latest version (at least 8.2.7) to remove the vulnerable input handling.
  • If an immediate update is not possible, temporarily block or filter the qty parameter on the server side, accepting only integer values greater than or equal to 1.
  • Monitor the site for anomalous cart activity and verify that no unauthorized orders appear after the patch or parameter restriction is in place.

Generated by OpenCVE AI on April 20, 2026 at 22:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-22785 The WoodMart theme for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 8.2.6. This is due to insufficient validation of the qty parameter in the woodmart_update_cart_item function. This makes it possible for unauthenticated attackers to manipulate cart quantities using fractional values, allowing them to obtain products for free by setting extremely small quantities (e.g., 0.00001) that round cart totals to $0.00, effectively bypassing payment requirements and allowing unauthorized acquisition of virtual or downloadable products.
History

Mon, 28 Jul 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 28 Jul 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Xtemos
Xtemos woodmart
Vendors & Products Wordpress
Wordpress wordpress
Xtemos
Xtemos woodmart

Sat, 26 Jul 2025 07:00:00 +0000

Type Values Removed Values Added
Description The WoodMart theme for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 8.2.6. This is due to insufficient validation of the qty parameter in the woodmart_update_cart_item function. This makes it possible for unauthenticated attackers to manipulate cart quantities using fractional values, allowing them to obtain products for free by setting extremely small quantities (e.g., 0.00001) that round cart totals to $0.00, effectively bypassing payment requirements and allowing unauthorized acquisition of virtual or downloadable products.
Title WoodMart - Multipurpose WooCommerce Theme <= 8.2.6 - Improper Input Validation Leading to Unauthenticated Cart Manipulation
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Xtemos Woodmart
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:15:50.129Z

Reserved: 2025-07-23T17:52:17.006Z

Link: CVE-2025-8097

cve-icon Vulnrichment

Updated: 2025-07-28T15:51:49.106Z

cve-icon NVD

Status : Deferred

Published: 2025-07-26T07:15:26.277

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-8097

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T22:15:06Z

Weaknesses