CVE-2025-6746 Overview
The WoodMart plugin for WordPress contains a Local File Inclusion (LFI) vulnerability in all versions up to and including 8.2.3. The flaw exists in the handling of the layout attribute, which fails to properly validate file paths before inclusion. Authenticated attackers with Contributor-level access or above can include and execute arbitrary .php files on the server. This enables bypass of access controls, exposure of sensitive data, and potential remote code execution when combined with file upload primitives. The vulnerability is tracked under CWE-98, Improper Control of Filename for Include/Require Statement in PHP Program.
Critical Impact
Authenticated attackers with Contributor-level privileges can execute arbitrary PHP code on affected WordPress installations, leading to full site compromise.
Affected Products
- Xtemos WoodMart plugin for WordPress (all versions through 8.2.3)
- WordPress sites using WoodMart WooCommerce theme integration
- E-commerce deployments relying on WoodMart layout shortcodes
Discovery Timeline
- 2025-07-08 - CVE-2025-6746 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-6746
Vulnerability Analysis
The vulnerability resides in WoodMart's shortcode rendering logic, which accepts a user-controlled layout attribute and passes it to a PHP include or require statement. The plugin does not sanitize the supplied value against directory traversal sequences or restrict inclusion to an allowlist of expected template files. As a result, an authenticated user able to insert shortcodes into posts or pages can specify paths that resolve to arbitrary .php files on the local filesystem.
Once included, the targeted PHP file executes within the WordPress process context. This grants the attacker the same privileges as the web server, exposing database credentials, secrets in wp-config.php, and any writable directories. Chaining the LFI with WordPress's media upload capability available to Contributors can convert local inclusion into reliable remote code execution.
Root Cause
The root cause is improper control of a filename used in a PHP include statement, classified under CWE-98. The layout parameter flows from shortcode input to a filesystem include operation without canonicalization, path normalization, or membership validation against a whitelist of permitted template names.
Attack Vector
An attacker first obtains a Contributor account on the target WordPress site through registration, credential theft, or social engineering. The attacker then authors a post containing a WoodMart shortcode where the layout attribute references a traversal path such as a relative path resolving to a sensitive PHP file. When the post is previewed or rendered, the plugin includes the attacker-specified file, executing its PHP contents. See the Wordfence Vulnerability Report for additional technical context.
Detection Methods for CVE-2025-6746
Indicators of Compromise
- Shortcode usage in post content containing layout attribute values with directory traversal sequences such as ../ or absolute filesystem paths
- Web server access logs showing post preview or render requests from Contributor-level accounts immediately followed by anomalous PHP execution
- Unexpected outbound network connections originating from the PHP-FPM or Apache worker processes after content edits
- New or modified PHP files in upload directories such as wp-content/uploads/
Detection Strategies
- Audit the wp_posts table for shortcode content referencing the WoodMart layout attribute with suspicious path values
- Monitor PHP include/require activity through runtime application self-protection or OPcache logging where available
- Correlate Contributor account activity with file inclusion events and process spawns from the web server user
- Inspect WordPress audit logs for posts authored by low-privilege accounts that contain layout-related shortcodes
Monitoring Recommendations
- Enable verbose web server logging and retain request bodies for POST operations to /wp-admin/post.php and preview endpoints
- Alert on creation of .php files in any directory beneath wp-content/uploads/
- Track newly registered Contributor accounts and review their first content submissions before publication
- Forward WordPress and web server logs to a centralized data lake for correlation against known LFI patterns
How to Mitigate CVE-2025-6746
Immediate Actions Required
- Update the WoodMart plugin to a version newer than 8.2.3 once a vendor-supplied patch is available from ThemeForest
- Restrict Contributor and higher role assignments to trusted users only and audit existing accounts
- Disable open user registration on production WordPress sites that do not require it
- Review all published and draft posts for malicious WoodMart shortcodes referencing the layout attribute
Patch Information
The vendor advisory is referenced through the Wordfence Vulnerability Report. Site administrators should upgrade to the latest WoodMart release distributed via ThemeForest or the plugin's automatic update channel. Verify the installed version through the WordPress admin dashboard after applying the update.
Workarounds
- Temporarily deactivate the WoodMart plugin until the patched version is installed
- Deploy a web application firewall rule blocking shortcode payloads containing path traversal sequences in the layout parameter
- Apply PHP open_basedir restrictions to confine includes to the WordPress installation directory
- Revoke Contributor privileges from non-essential accounts to reduce the attacker pool
# Example PHP open_basedir restriction in php.ini or virtual host config
php_admin_value open_basedir "/var/www/html/wordpress/:/tmp/"
# Example WAF rule pattern to block traversal in layout attribute
# SecRule ARGS "@rx layout=[\"']?[^\"']*\.\./" \
# "id:1006746,phase:2,deny,status:403,msg:'WoodMart LFI attempt CVE-2025-6746'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

