CVE-2025-6744 is a code injection vulnerability classified under CWE-94 found in the Woodmart WordPress theme developed by xTemos. The vulnerability exists because the function woodmart_get_products_shortcode() improperly validates input before passing it to WordPress's do_shortcode function, which executes shortcodes. Shortcodes in WordPress are snippets that can execute PHP code or perform actions within posts or pages. Due to insufficient input validation, an unauthenticated attacker can craft a request that triggers arbitrary shortcode execution, effectively allowing remote code execution within the context of the WordPress site. This flaw affects all versions of Woodmart up to and including 8.2.3. The vulnerability has a CVSS v3.1 score of 7.3, indicating high severity, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The impact includes potential unauthorized disclosure of information (confidentiality), unauthorized modification of data or site content (integrity), and disruption or degradation of service (availability). Although no public exploits have been reported yet, the vulnerability's characteristics make it a prime target for attackers seeking to compromise WordPress sites using this theme. The lack of a patch link suggests that a fix may not yet be publicly available, increasing urgency for mitigation.

The vulnerability enables unauthenticated remote attackers to execute arbitrary shortcodes, which can lead to remote code execution or unauthorized actions within the WordPress environment. This compromises the confidentiality of sensitive data stored or processed by the site, including user information and business data. Integrity is at risk as attackers can modify site content, inject malicious code, or alter configurations. Availability may be impacted if attackers disrupt site functionality or cause denial of service through malicious shortcode execution. Organizations using Woodmart for e-commerce or content delivery face risks of data breaches, defacement, or service outages. The broad impact on confidentiality, integrity, and availability combined with ease of exploitation and no authentication requirement makes this a critical threat to WordPress sites globally. Attackers could leverage this vulnerability to establish persistent footholds, pivot within networks, or launch further attacks against site visitors or backend systems.

Immediate mitigation should include disabling or restricting the use of shortcodes in user inputs or untrusted contexts within the Woodmart theme. Site administrators can implement Web Application Firewall (WAF) rules to detect and block suspicious shortcode patterns or requests targeting the vulnerable function. Until an official patch is released by xTemos, consider temporarily switching to a different theme or removing Woodmart to eliminate exposure. Regularly monitor site logs for unusual shortcode execution attempts or unexpected behavior. Employ principle of least privilege by limiting permissions of WordPress users and plugins to reduce potential damage. Keep WordPress core, plugins, and themes updated to minimize attack surface. Engage with the vendor for timely patch updates and apply them as soon as available. Conduct security audits and penetration testing focused on shortcode handling and input validation to identify residual risks.