CVE-2025-8198 is a high-severity vulnerability affecting the MinimogWP WordPress theme, a popular eCommerce theme developed by ThemeMove. The vulnerability arises from insufficient validation of quantity values when users modify item quantities in the shopping cart. Specifically, unauthenticated attackers can manipulate the quantity parameter to fractional values, which the theme incorrectly processes, resulting in price manipulation. This flaw allows attackers to add items to the cart and adjust quantities to fractional amounts, causing the total price to be calculated incorrectly and potentially allowing purchases at significantly reduced prices or even free. The vulnerability is rooted in CWE-472, which involves external control of an assumed-immutable web parameter, indicating that the theme trusts client-supplied quantity values without proper validation or sanitization. Notably, exploitation does not require authentication or user interaction, increasing the risk of automated attacks. However, the vulnerability cannot be exploited if the WooCommerce plugin version 9.8.2 or later is installed, as that version presumably includes fixes or mitigations that prevent fractional quantity manipulation. The CVSS v3.1 base score is 7.5, reflecting a high impact on integrity due to price manipulation, with no impact on confidentiality or availability. There are no known exploits in the wild at the time of publication, and no official patches for the theme have been linked yet. The vulnerability affects all versions of MinimogWP up to and including 3.9.0, which is the latest known version at the time of disclosure.

For European organizations running eCommerce websites using the MinimogWP theme, this vulnerability poses a significant financial risk. Attackers can exploit the flaw to purchase goods at manipulated prices, leading to direct revenue loss and potential inventory depletion. Since the vulnerability can be exploited without authentication or user interaction, automated attacks or bots could rapidly exploit the flaw at scale. This could also damage customer trust if manipulated transactions are detected or if attackers use the vulnerability to disrupt normal sales operations. Additionally, organizations may face reputational damage and regulatory scrutiny under GDPR if the vulnerability leads to fraudulent transactions or impacts customer data indirectly. The inability to exploit the vulnerability when WooCommerce 9.8.2+ is installed suggests that organizations using older WooCommerce versions alongside MinimogWP are at higher risk. Given the widespread use of WordPress and WooCommerce in Europe’s eCommerce sector, the vulnerability could affect small to medium enterprises that rely on this theme for their online stores. The impact is primarily on the integrity of transaction data and financial loss rather than on confidentiality or availability.

European organizations should immediately verify their WooCommerce plugin version and upgrade to 9.8.2 or later if not already done, as this version mitigates the vulnerability. Additionally, organizations should update the MinimogWP theme to the latest version once a patch addressing CVE-2025-8198 is released by ThemeMove. Until a patch is available, organizations can implement server-side validation to reject fractional quantity values in cart requests, ensuring only integer quantities are accepted. Web application firewalls (WAFs) can be configured to detect and block requests containing fractional quantity parameters. Monitoring and logging cart modification requests for anomalous fractional values can help detect attempted exploitation. Organizations should also consider temporarily disabling the MinimogWP theme or switching to an alternative theme if immediate patching is not feasible. Regular security audits and penetration testing focusing on eCommerce transaction integrity are recommended to identify similar issues. Finally, educating development and operations teams about the risks of trusting client-side parameters will help prevent similar vulnerabilities in the future.