CVE-2025-6746 in WoodMart Plugininfo

Summary

by MITRE • 07/08/2025

The WoodMart plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 8.2.3 via the 'layout' attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php files can be uploaded and included.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/08/2025

The WoodMart WordPress plugin presents a critical local file inclusion vulnerability that affects all versions up to and including 8.2.3. This security flaw resides within the 'layout' attribute processing mechanism, creating a pathway for authenticated attackers who possess contributor-level privileges or higher to exploit the system. The vulnerability stems from insufficient input validation and sanitization of user-supplied parameters that are directly incorporated into file inclusion operations without proper security controls.

The technical implementation of this vulnerability allows an attacker with minimal privileges to manipulate the layout parameter in ways that can traverse the filesystem and include arbitrary PHP files stored on the target server. When the plugin processes the layout attribute, it fails to properly validate or sanitize the input before using it in a file inclusion context, creating a direct path for code execution. This flaw operates at the intersection of improper input validation and insecure file handling practices, making it particularly dangerous as it can be exploited by users who already have some level of access to the WordPress environment.

The operational impact of this vulnerability extends beyond simple code execution capabilities to encompass complete system compromise potential. Attackers can leverage this weakness to bypass existing access controls, potentially escalating their privileges or gaining unauthorized access to sensitive data stored within the WordPress installation. The ability to include and execute PHP files means that malicious actors can upload shell scripts or other payload files that can establish persistent access, exfiltrate database credentials, or modify core application functionality. This vulnerability essentially provides a backdoor for attackers who have already gained contributor-level access to elevate their privileges and compromise the entire WordPress environment.

Security professionals should note this vulnerability aligns with CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-94 (Improper Control of Generation of Code) categories, representing both path traversal issues and code injection vulnerabilities. The ATT&CK framework categorizes this as a privilege escalation technique through exploitation of application vulnerabilities, potentially mapping to T1068 (Exploitation for Privilege Escalation) and T1566 (Phishing with Social Engineering). Organizations should immediately implement mitigation strategies including plugin updates to versions that address the LFI vulnerability, implementing network segmentation to limit access to WordPress installations, and deploying web application firewalls that can detect and block malicious file inclusion attempts. Additionally, regular security audits of installed plugins and themes should be conducted to identify similar vulnerabilities that could provide attackers with unauthorized access to systems.

The remediation approach must prioritize immediate plugin version updates to address the specific LFI vulnerability while implementing broader security controls. System administrators should also consider restricting file upload capabilities for contributor-level users and implementing proper input validation at all application entry points. Monitoring and logging mechanisms should be enhanced to detect suspicious file inclusion patterns that may indicate exploitation attempts. This vulnerability serves as a reminder of the critical importance of keeping WordPress plugins updated and maintaining comprehensive security controls throughout the application stack to prevent unauthorized access and code execution scenarios.

Reservation

06/26/2025

Disclosure

07/08/2025

Moderation

accepted

CPE

ready

EPSS

0.00470

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!