CVE-2025-8198 is a vulnerability classified under CWE-472 (External Control of Assumed-Immutable Web Parameter) affecting the MinimogWP WordPress theme, widely used for eCommerce websites. The flaw arises from insufficient validation of quantity values when users modify item quantities in the shopping cart. Specifically, the theme allows unauthenticated attackers to submit fractional quantity values, which are not properly checked or sanitized. This leads to price manipulation because the pricing logic calculates totals based on these fractional quantities, potentially allowing attackers to pay less than the intended price or exploit pricing logic for financial gain. The vulnerability affects all versions of MinimogWP up to and including 3.9.0. However, the vulnerability cannot be exploited if WooCommerce version 9.8.2 or later is installed, as that version presumably includes validation or mitigation controls that prevent fractional quantities from affecting pricing. The CVSS v3.1 score is 7.5 (high), reflecting that the attack vector is network-based, requires no privileges or user interaction, and impacts data integrity (price manipulation) without affecting confidentiality or availability. No public exploits have been reported yet, but the vulnerability poses a significant risk to eCommerce sites relying on this theme without the required WooCommerce version. The root cause is the assumption that quantity parameters are immutable or properly validated, which is violated by external control of these parameters.

The primary impact of CVE-2025-8198 is financial fraud through price manipulation on eCommerce websites using the MinimogWP theme. Attackers can exploit this vulnerability to purchase products at incorrect prices by submitting fractional quantities, potentially paying less than the legitimate cost. This undermines the integrity of transaction data and can lead to revenue loss for affected organizations. Since the vulnerability requires no authentication or user interaction, it can be exploited at scale by automated attacks, increasing the risk of widespread abuse. Although confidentiality and availability are not directly impacted, the financial and reputational damage from fraudulent transactions can be significant. Organizations may also face customer trust issues and potential regulatory scrutiny if fraudulent transactions are not detected or mitigated. The vulnerability affects all sites using vulnerable versions of MinimogWP without the protective WooCommerce version, making it a critical concern for online retailers relying on this theme.

To mitigate CVE-2025-8198, organizations should immediately verify the version of WooCommerce installed alongside the MinimogWP theme. Upgrading WooCommerce to version 9.8.2 or later is the most effective mitigation, as this version includes protections against fractional quantity manipulation. If upgrading WooCommerce is not immediately feasible, organizations should consider temporarily disabling the MinimogWP theme or restricting cart quantity inputs to integer values through custom validation or web application firewall (WAF) rules. Implementing strict input validation on quantity parameters at the application or server level can prevent fractional values from being processed. Additionally, monitoring transaction logs for anomalous fractional quantities or unusual purchase patterns can help detect exploitation attempts. Applying principle of least privilege to WordPress user roles and regularly updating all plugins and themes reduces the attack surface. Finally, organizations should stay alert for official patches or updates from ThemeMove addressing this vulnerability and apply them promptly once available.