CVE-2025-8097 is a vulnerability identified in the WoodMart theme for WordPress, affecting all versions up to and including 8.2.6. The root cause is improper input validation (CWE-20) of the 'qty' parameter within the woodmart_update_cart_item function. This parameter controls the quantity of items added to the shopping cart. Due to insufficient validation, attackers can supply fractional quantities (e.g., 0.00001) that the system processes incorrectly, causing the cart total to round down to zero dollars. This flaw enables unauthenticated attackers to bypass payment mechanisms and acquire virtual or downloadable products for free. The vulnerability is remotely exploitable without requiring any authentication or user interaction, increasing its risk profile. The CVSS v3.1 base score is 5.3 (medium severity), reflecting the ease of exploitation and impact limited to integrity (unauthorized acquisition) without affecting confidentiality or availability. No patches or official fixes have been published yet, and no known exploits have been detected in the wild. The vulnerability highlights a critical failure in input validation logic within e-commerce functionality of the WoodMart theme, which could lead to financial losses and abuse of digital goods distribution.

The primary impact of CVE-2025-8097 is financial loss due to unauthorized acquisition of virtual or downloadable products without payment. This undermines the integrity of the e-commerce transaction process and can lead to revenue loss for online merchants using the WoodMart theme. Since the vulnerability allows unauthenticated remote exploitation, attackers can automate abuse at scale, potentially affecting many stores. Although confidentiality and availability are not directly impacted, the trustworthiness of the affected e-commerce platform is compromised, potentially damaging brand reputation. Organizations may also face increased chargebacks or disputes if fraudulent transactions are detected. Additionally, widespread exploitation could disrupt digital product distribution channels and harm the broader WordPress e-commerce ecosystem. The lack of patches increases exposure time, and the absence of known exploits in the wild suggests a window for proactive mitigation.

To mitigate CVE-2025-8097, organizations should immediately implement strict input validation and sanitization on the 'qty' parameter within the WoodMart theme's cart update functionality. Specifically, ensure that quantities are validated as positive integers and reject fractional or zero values before processing. Until an official patch is released, consider deploying web application firewall (WAF) rules to detect and block requests containing suspicious fractional quantity values. Monitor e-commerce transaction logs for anomalous cart quantities or zero-dollar transactions and implement alerting for potential abuse. Restrict access to cart update endpoints where possible and apply rate limiting to reduce automated exploitation attempts. Engage with the vendor (xTemos) to obtain or request a security patch and apply it promptly once available. Additionally, review and harden other input validation routines in the theme to prevent similar issues. Educate site administrators on monitoring and incident response specific to this vulnerability.