CVE-2025-6746 is a high-severity vulnerability affecting the WoodMart WordPress plugin developed by xTemos. The vulnerability is classified as CWE-98, which pertains to improper control of filenames used in include or require statements in PHP programs, commonly known as Remote File Inclusion (RFI) or Local File Inclusion (LFI). Specifically, this vulnerability allows authenticated attackers with Contributor-level access or higher to exploit the 'layout' attribute in the plugin to perform Local File Inclusion. This means that an attacker can manipulate the filename parameter to include arbitrary PHP files from the server. If the attacker can upload PHP files (e.g., via other plugin features or WordPress media upload with improper restrictions), they can then execute arbitrary PHP code on the server. The vulnerability affects all versions of WoodMart up to and including version 8.2.3. The CVSS v3.1 base score is 8.8, indicating a high severity with the vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, meaning the attack can be performed remotely over the network with low attack complexity, requires low privileges (Contributor or above), no user interaction, and impacts confidentiality, integrity, and availability to a high degree. Exploitation can lead to bypassing access controls, unauthorized data disclosure, and full remote code execution on the affected server. No patches or fixes are currently linked, and no known exploits in the wild have been reported yet. The vulnerability was published on July 8, 2025, with the reservation date on June 26, 2025.

For European organizations using WordPress websites with the WoodMart plugin, this vulnerability poses a significant risk. Since Contributor-level access is sufficient to exploit the flaw, any compromised or malicious user account with such privileges can leverage this vulnerability to execute arbitrary PHP code on the web server. This can lead to full compromise of the website and potentially the underlying server environment, resulting in data breaches, defacement, service disruption, or pivoting to internal networks. Organizations in sectors such as e-commerce, media, and services that rely on WordPress with WoodMart themes are particularly at risk. The impact extends to loss of customer trust, regulatory penalties under GDPR due to data exposure, and operational downtime. Given the high CVSS score and the ability to execute code remotely without user interaction, the threat is critical to address promptly. The absence of known exploits in the wild currently reduces immediate risk but does not diminish the urgency of mitigation, as weaponization could occur rapidly once the vulnerability becomes widely known.

1. Immediate mitigation should include restricting Contributor-level user permissions to trusted individuals only and auditing existing user roles to minimize risk exposure. 2. Disable or restrict the use of the 'layout' attribute in the WoodMart plugin if possible, or apply web application firewall (WAF) rules to detect and block suspicious requests attempting to exploit file inclusion. 3. Monitor web server logs for unusual file inclusion attempts or unexpected PHP file executions. 4. If feasible, isolate WordPress instances in containerized or sandboxed environments to limit the blast radius of potential exploitation. 5. Regularly update the WoodMart plugin to the latest version once a patch is released by the vendor. 6. Employ file integrity monitoring to detect unauthorized PHP file uploads or modifications. 7. Harden PHP configurations by disabling dangerous functions (e.g., allow_url_include, include_path modifications) and restricting file system permissions to prevent unauthorized file uploads or executions. 8. Conduct penetration testing focused on privilege escalation and file inclusion vectors to validate the effectiveness of mitigations.