Cyber Resilience

CVE-2025-6746

High

Published: 08 July 2025

Published
08 July 2025
Modified
09 July 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0040 61.4th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-6746 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability in Xtemos Woodmart. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 38.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-6746 is a Local File Inclusion (LFI) vulnerability in the WoodMart plugin for WordPress, affecting all versions up to and including 8.2.3. The flaw exists in the 'layout' attribute, which enables the inclusion and execution of arbitrary .php files on the server. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program.

Authenticated attackers with Contributor-level access or higher can exploit this vulnerability over the network with low complexity and no user interaction required. By manipulating the 'layout' attribute, they can include and execute PHP code from arbitrary .php files, potentially bypassing access controls, extracting sensitive data, or achieving remote code execution if .php files are uploadable.

Advisories and additional details are available from Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/98c1363e-b25d-46fc-b6bf-0285a37f748c?source=cve and the WoodMart theme page on ThemeForest at https://themeforest.net/item/woodmart-woocommerce-wordpress-theme/20264492.

EU & UK References

Vulnerability details

The WoodMart plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 8.2.3 via the 'layout' attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary…

more

.php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php files can be uploaded and included.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

LFI in public-facing WordPress plugin directly enables T1190 exploitation by authenticated users; arbitrary PHP inclusion facilitates web shell deployment for RCE/persistence (T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-13408Shared CWE-98
CVE-2026-39387Shared CWE-98
CVE-2026-3425Shared CWE-98
CVE-2026-27383Shared CWE-98
CVE-2024-51319Shared CWE-98
CVE-2025-30845Shared CWE-98
CVE-2025-26985Shared CWE-98
CVE-2025-52732Shared CWE-98
CVE-2025-69078Shared CWE-98
CVE-2026-24538Shared CWE-98

Affected Assets

xtemos
woodmart
≤ 8.2.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation requires timely patching of the WoodMart plugin to versions beyond 8.2.3, directly eliminating the LFI vulnerability in the 'layout' attribute.

prevent

Information input validation mechanisms on the 'layout' attribute whitelist allowed values and block path traversal, preventing inclusion and execution of arbitrary PHP files.

prevent

Least privilege restricts Contributor-level access or higher from manipulating the vulnerable 'layout' attribute in post editing or similar functions.

References