CVE-2025-7366 is a critical vulnerability found in the REHub - Price Comparison, Multi Vendor Marketplace WordPress theme developed by sizam. The flaw arises from improper control of code generation (CWE-94), specifically due to the theme's failure to properly validate input before executing the WordPress function do_shortcode. This function processes shortcodes, which are snippets of code embedded in WordPress content to perform dynamic actions. Because the theme allows unauthenticated users to trigger shortcode execution without validation, attackers can inject and execute arbitrary shortcodes remotely. This can lead to unauthorized code execution within the WordPress environment, potentially allowing attackers to manipulate site content, execute malicious PHP code, or perform other unauthorized actions. The vulnerability affects all versions up to and including 19.9.7. The CVSS v3.1 base score is 7.3, indicating a high-severity issue with network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The scope remains unchanged (S:U), with low confidentiality, integrity, and availability impacts (C:L/I:L/A:L). Although no public exploits are known at this time, the vulnerability's characteristics make it a prime target for exploitation once weaponized. The theme is widely used in WordPress e-commerce and marketplace sites, increasing the potential attack surface. The vulnerability was published on September 6, 2025, with the initial reservation date on July 8, 2025. No official patches or updates have been linked yet, emphasizing the need for immediate attention from site administrators.

The vulnerability allows unauthenticated remote attackers to execute arbitrary shortcodes, which can lead to unauthorized code execution within the WordPress environment. This can compromise the confidentiality of sensitive data, integrity of website content, and availability of the affected site. Attackers might leverage this to inject malicious payloads, deface websites, steal user credentials, or pivot to further internal network compromise. Given the theme's use in multi-vendor marketplaces and price comparison sites, exploitation could disrupt e-commerce operations, damage brand reputation, and lead to financial losses. The lack of authentication and user interaction requirements significantly lowers the barrier to exploitation, increasing the risk of widespread attacks. Organizations relying on this theme without mitigation are vulnerable to automated scanning and exploitation attempts, potentially impacting millions of WordPress sites globally.

Site administrators should immediately verify if their WordPress installations use the REHub theme up to version 19.9.7 and plan to upgrade to a patched version once available. In the absence of official patches, administrators can mitigate risk by disabling shortcode execution for unauthenticated users via custom code or security plugins that restrict do_shortcode usage. Implementing Web Application Firewalls (WAFs) with rules to detect and block suspicious shortcode execution attempts can reduce exposure. Regularly monitoring logs for unusual shortcode activity and restricting file permissions to limit code execution capabilities are recommended. Additionally, isolating WordPress instances and enforcing least privilege principles on user roles can limit the impact of a successful exploit. Backup strategies should be reviewed and tested to ensure rapid recovery in case of compromise. Coordinating with theme developers and subscribing to security advisories will help ensure timely patch deployment.