CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-8097 – WoodMart - Multipurpose WooCommerce Theme <= 8.2.6 - Improper Input Validation Leading to Unauthenticated Cart Manipulation
https://notcve.org/view.php?id=CVE-2025-8097
25 Jul 2025 — The WoodMart theme for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 8.2.6. This is due to insufficient validation of the qty parameter in the woodmart_update_cart_item function. This makes it possible for unauthenticated attackers to manipulate cart quantities using fractional values, allowing them to obtain products for free by setting extremely small quantities (e.g., 0.00001) that round cart totals to $0.00, effectively bypassing payment requirements and allo... • https://themeforest.net/item/woodmart-woocommerce-wordpress-theme/20264492 • CWE-20: Improper Input Validation •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-6745 – WoodMart <= 8.2.5 - Unauthenticated Post Disclosure
https://notcve.org/view.php?id=CVE-2025-6745
10 Jul 2025 — The WoodMart plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 8.2.5 via the woodmart_get_posts_by_query() function due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to. El complemento WoodMart para WordPress es vulnerable a la exposición de información en todas las versiones hasta la 8.2.5 incluid... • https://themeforest.net/item/woodmart-woocommerce-wordpress-theme/20264492 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-6743 – WoodMart <= 8.2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2025-6743
07 Jul 2025 — The Woodmart theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'multiple_markers' attribute in all versions up to, and including, 8.2.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://themeforest.net/item/woodmart-woocommerce-wordpress-theme/20264492 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-6746 – WoodMart <= 8.2.3 - Authenticated (Contributor+) Local File Inclusion
https://notcve.org/view.php?id=CVE-2025-6746
07 Jul 2025 — The WoodMart plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 8.2.3 via the 'layout' attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php files can be uploaded and included. • https://themeforest.net/item/woodmart-woocommerce-wordpress-theme/20264492 • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-6744 – Woodmart <= 8.2.3 - Unauthenticated Arbitrary Shortcode Execution
https://notcve.org/view.php?id=CVE-2025-6744
07 Jul 2025 — The The Woodmart theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8.2.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode through the woodmart_get_products_shortcode() function. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. • https://www.wordfence.com/threat-intel/vulnerabilities/id/dd056d29-3bd9-49e4-bcc4-fa487de8a27e?source=cve • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-12333 – WoodMart <= 8.0.3 - Unauthenticated Arbitrary Shortcode Execution
https://notcve.org/view.php?id=CVE-2024-12333
11 Dec 2024 — The Woodmart theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8.0.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode through the woodmart_instagram_ajax_query AJAX action. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. El tema Woodmart para WordPress es vulnerable a la ejecución arbitraria de códigos cortos en todas las versiones h... • https://themeforest.net/item/woodmart-woocommerce-wordpress-theme/20264492 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41872 – WordPress WoodMart Theme <= 7.2.4 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-41872
05 Sep 2023 — Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Xtemos WoodMart plugin <= 7.2.4 versions. Vulnerabilidad de Cross-Site Scripting (XSS) Reflejada No Autenticada en el complemento Xtemos WoodMart en versiones <= 7.2.4. The WoodMart theme for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 7.2.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages tha... • https://patchstack.com/database/vulnerability/woodmart/wordpress-woodmart-theme-7-2-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-32242 – WordPress Woodmart Core Plugin <= 1.0.36 is vulnerable to PHP Object Injection
https://notcve.org/view.php?id=CVE-2023-32242
11 May 2023 — Deserialization of Untrusted Data vulnerability in xtemos WoodMart - Multipurpose WooCommerce Theme.This issue affects WoodMart - Multipurpose WooCommerce Theme: from n/a through 1.0.36. Vulnerabilidad de deserialización de datos no confiables en xtemos WoodMart - Multipurpose WooCommerce Theme. Este problema afecta a WoodMart - Multipurpose WooCommerce Theme: desde n/a hasta 1.0.36. The Woodmart Core plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.0.36 via des... • https://patchstack.com/database/vulnerability/woodmart-core/wordpress-woodmart-core-plugin-1-0-36-php-object-injection?_s_id=cve • CWE-502: Deserialization of Untrusted Data •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-32240 – WordPress Woodmart theme <= 7.2.1 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2023-32240
11 May 2023 — Missing Authorization vulnerability in Xtemos WoodMart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WoodMart: from n/a through 7.2.1. The WoodMart theme for WordPress is vulnerable to unauthorized access, modification or loss of data due to a missing capability check on an unknown function in versions up to, and including, 7.2.1. This makes it possible for authenticated attackers , with subscriber-level access and above, to invoke this function. • https://patchstack.com/database/wordpress/theme/woodmart/vulnerability/wordpress-woodmart-theme-7-2-1-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-32500 – WordPress WoodMart Theme <= 7.1.1 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-32500
01 Mar 2023 — Cross-Site Request Forgery (CSRF) vulnerability in xtemos WoodMart - Multipurpose WooCommerce Theme <= 7.1.1 versions. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en xtemos WoodMart - Multipurpose WooCommerce Theme en versiones <= 7.1.1. The Woodmart theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 7.1.1. This is due to missing or incorrect nonce validation on one of its functions. This makes it possible for unauthenticated attackers to modify the ... • https://patchstack.com/database/vulnerability/woodmart/wordpress-woodmart-theme-7-1-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •