CVE-2025-6745 is an information exposure vulnerability identified in the WoodMart plugin for WordPress, a popular e-commerce and theme plugin developed by xTemos. The flaw exists in the woodmart_get_posts_by_query() function, which is responsible for retrieving posts based on specific queries. Due to insufficient access control checks, this function can be exploited by unauthenticated attackers to access posts that are meant to be restricted, including password-protected, private, or draft posts. This means sensitive data intended to be hidden from public or unauthorized users can be extracted without any authentication or user interaction. The vulnerability affects all versions up to and including 8.2.5. The CVSS v3.1 base score is 5.3 (medium severity), reflecting that the attack vector is network-based with low complexity and no privileges or user interaction required, but the impact is limited to confidentiality loss without affecting integrity or availability. No patches or exploit code are currently publicly available, but the risk remains significant for sites using the vulnerable versions. This vulnerability falls under CWE-200, which covers exposure of sensitive information to unauthorized actors.

The primary impact of CVE-2025-6745 is unauthorized disclosure of sensitive information stored in WordPress posts that should be protected, such as private business data, unpublished content, or confidential customer information. For organizations relying on WoodMart for their e-commerce or content management, this could lead to data leaks that damage reputation, violate privacy regulations, or expose competitive intelligence. Since the vulnerability requires no authentication, any attacker on the internet can exploit it remotely, increasing the risk of widespread data exposure. Although it does not affect system integrity or availability, the confidentiality breach alone can have serious consequences, especially for businesses handling sensitive or regulated data. The absence of known exploits in the wild suggests limited active exploitation currently, but the vulnerability is straightforward to exploit given the low complexity and no required privileges. Organizations worldwide using WoodMart are at risk until they apply fixes or mitigations.

To mitigate CVE-2025-6745, organizations should immediately update the WoodMart plugin to a version that addresses this vulnerability once released by xTemos. Until an official patch is available, administrators can implement strict access controls at the WordPress level, such as restricting access to sensitive posts via custom code or plugins that enforce authentication and authorization checks before serving post content. Disabling or restricting the woodmart_get_posts_by_query() function through plugin customization or firewall rules may also reduce exposure. Monitoring web server logs for unusual requests targeting this function can help detect exploitation attempts. Additionally, organizations should review and limit the amount of sensitive data stored in private or draft posts and consider encrypting sensitive content where feasible. Regular backups and security audits of WordPress installations are recommended to maintain overall security hygiene.