CVE Alert: CVE-2025-7366 – sizam – REHub – Price Comparison, Multi Vendor Marketplace WordPress Theme
CVE-2025-7366
The The REHub – Price Comparison, Multi Vendor Marketplace WordPress Theme theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 19.9.7. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
AI Summary Analysis
Risk verdict
High risk: unauthenticated remote arbitrary shortcode execution via the REHub theme could enable attacker-driven code on vulnerable WordPress sites.
Why this matters
Unauthenticated access means automated exploitation is feasible against exposed sites, risking defacement or injection of malicious content and potential SEO penalties. Even with low integrity and availability impacts, the ability to run code within the WordPress process can enable backdoors or data exposure on affected installations.
Most likely attack path
An attacker targets public sites running REHub <= 19.9.7, requiring no user interaction. By submitting crafted input that leverages do_shortcode without proper validation, the attacker executes arbitrary shortcodes, gaining code execution within the site’s PHP context and potential content manipulation or backdoor deployment.
Who is most exposed
Public WordPress deployments using the REHub theme (up to version 19.9.7), including multi-vendor marketplace setups, are most at risk—especially sites lacking strict input validation and with exposed shortcode endpoints.
Detection ideas
- Logs show unusual or crafted shortcode requests on pages handling dynamic content.
- PHP error logs reveal do_shortcode misuse or code injection attempts.
- New or modified files under wp-content, uploads, or theme directories.
- Unusual admin or content changes shortly after external requests.
- WAF/IPS alerts for suspicious shortcode patterns or code-injection attempts.
Mitigation and prioritisation
- Patch to latest REHub version or apply vendor security fix immediately.
- Implement a content-security/ input-validation rule to block unvalidated shortcode processing; consider disabling shortcodes in untrusted contexts if feasible.
- Enable robust monitoring: file integrity, PHP runtime logs, and atypical file writes; strengthen user role permissions for admin panels.
- Apply compensating controls: restrict access to shortcode endpoints, implement WAF rules, and ensure validated backups before patching.
- Change-management: schedule prompt upgrade verification in the next maintenance window; verify site functionality post-patch.
- If KEV is true or EPSS ≥ 0.5, treat as priority 1. (Data not provided in this case.)
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
