CVE-2025-6743 is a stored cross-site scripting vulnerability classified under CWE-79, discovered in the Woodmart WordPress theme developed by xTemos. This vulnerability affects all versions up to and including 8.2.3. The root cause is insufficient sanitization and escaping of user-supplied input specifically in the 'multiple_markers' attribute used by the theme. Authenticated attackers with contributor-level privileges or higher can exploit this flaw by injecting arbitrary JavaScript code into pages. Because the malicious script is stored persistently, it executes in the context of any user who visits the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of the victim. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting a medium severity with network attack vector, low attack complexity, and requiring privileges but no user interaction. The scope is changed (S:C), meaning the vulnerability can affect resources beyond the initially compromised component. No patches or official fixes are currently linked, and no known exploits have been reported in the wild. This vulnerability highlights the risks of insufficient input validation in WordPress themes, especially those with complex user input features. It is critical for site administrators to review user roles and restrict contributor-level access where possible, as well as monitor for suspicious script injections.

The impact of CVE-2025-6743 is significant for organizations using the Woodmart theme on WordPress sites, particularly e-commerce and content-heavy websites. Exploitation allows attackers to execute arbitrary scripts in the browsers of site visitors, leading to session hijacking, theft of sensitive information, defacement, or redirection to malicious sites. Since the vulnerability requires contributor-level access, insider threats or compromised contributor accounts pose a risk. The altered scope means that the attack can affect other components or users beyond the initial injection point, potentially leading to broader compromise. This can undermine user trust, cause data breaches, and result in financial and reputational damage. Organizations with large user bases or those handling sensitive customer data are at higher risk. The lack of known exploits in the wild currently reduces immediate threat but does not eliminate the risk of future attacks.

To mitigate CVE-2025-6743, organizations should immediately restrict contributor-level access to trusted users only and audit existing contributors for suspicious activity. Implement a web application firewall (WAF) with rules to detect and block XSS payloads targeting the 'multiple_markers' attribute. Regularly monitor website content for unauthorized script injections. Since no official patch is currently available, consider temporarily disabling or removing the vulnerable feature if feasible. Employ Content Security Policy (CSP) headers to restrict script execution sources, reducing the impact of injected scripts. Educate site administrators and contributors about safe input practices and the risks of XSS. When a patch becomes available, promptly apply it. Additionally, conduct regular security scans and penetration tests focusing on input validation and output encoding in WordPress themes and plugins.