CVE-2025-6746 is a Local File Inclusion vulnerability affecting all versions of the WoodMart plugin for WordPress up to and including 8.2.3. The vulnerability stems from improper validation and control of the 'layout' attribute, which is used in PHP include or require statements. Authenticated attackers with Contributor-level privileges or higher can manipulate this attribute to include arbitrary PHP files from the server filesystem. If an attacker can upload PHP files (e.g., via other plugin features or WordPress media upload with improper restrictions), they can execute arbitrary code remotely, leading to full server compromise. The vulnerability is classified under CWE-98, which involves improper control of filenames used in include/require statements, a common vector for LFI and Remote File Inclusion (RFI) attacks. The CVSS 3.1 score of 8.8 reflects the vulnerability's network attack vector, low attack complexity, required privileges (low), no user interaction, and high impact on confidentiality, integrity, and availability. No patches or official fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. However, the presence of this vulnerability in a widely used WordPress plugin makes it a significant risk for websites using WoodMart themes, especially those allowing contributor-level access to untrusted users.

The impact of CVE-2025-6746 is severe for organizations using the WoodMart WordPress plugin. Exploitation can lead to remote code execution on the web server, enabling attackers to bypass access controls and execute arbitrary PHP code. This can result in full compromise of the web server, including theft or modification of sensitive data, defacement, installation of backdoors or malware, and pivoting to internal networks. Since Contributor-level users can exploit this, any site allowing user-generated content or multiple contributors is at risk. The vulnerability threatens confidentiality, integrity, and availability of affected systems. Given WordPress's widespread use globally, organizations ranging from small businesses to large enterprises using WoodMart themes are at risk. The lack of known exploits currently provides a window for mitigation, but the ease of exploitation and high impact necessitate urgent attention.

1. Immediately restrict Contributor-level and higher user permissions to trusted users only until a patch is available. 2. Monitor and audit user uploads to prevent uploading of PHP files or other executable content. 3. Implement web application firewall (WAF) rules to detect and block suspicious requests manipulating the 'layout' parameter or attempting file inclusion. 4. Disable or remove the WoodMart plugin if not essential or replace it with a secure alternative. 5. Regularly back up website data and server configurations to enable recovery in case of compromise. 6. Monitor logs for unusual file access patterns or execution of unexpected PHP files. 7. Once a patch is released by xTemos, apply it promptly. 8. Employ PHP configuration hardening, such as disabling allow_url_include and restricting file system permissions to limit the impact of file inclusion vulnerabilities. 9. Use security plugins that can detect and prevent LFI attempts and unauthorized file executions. 10. Educate site administrators and contributors about the risks of uploading executable files and the importance of secure practices.