CVE-2025-6746
Published: 08 July 2025
Summary
CVE-2025-6746 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability in Xtemos Woodmart. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 38.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-6746 is a Local File Inclusion (LFI) vulnerability in the WoodMart plugin for WordPress, affecting all versions up to and including 8.2.3. The flaw exists in the 'layout' attribute, which enables the inclusion and execution of arbitrary .php files on the server. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program.
Authenticated attackers with Contributor-level access or higher can exploit this vulnerability over the network with low complexity and no user interaction required. By manipulating the 'layout' attribute, they can include and execute PHP code from arbitrary .php files, potentially bypassing access controls, extracting sensitive data, or achieving remote code execution if .php files are uploadable.
Advisories and additional details are available from Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/98c1363e-b25d-46fc-b6bf-0285a37f748c?source=cve and the WoodMart theme page on ThemeForest at https://themeforest.net/item/woodmart-woocommerce-wordpress-theme/20264492.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-20411
Vulnerability details
The WoodMart plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 8.2.3 via the 'layout' attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary…
more
.php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php files can be uploaded and included.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
LFI in public-facing WordPress plugin directly enables T1190 exploitation by authenticated users; arbitrary PHP inclusion facilitates web shell deployment for RCE/persistence (T1505.003).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Flaw remediation requires timely patching of the WoodMart plugin to versions beyond 8.2.3, directly eliminating the LFI vulnerability in the 'layout' attribute.
Information input validation mechanisms on the 'layout' attribute whitelist allowed values and block path traversal, preventing inclusion and execution of arbitrary PHP files.
Least privilege restricts Contributor-level access or higher from manipulating the vulnerable 'layout' attribute in post editing or similar functions.