{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-8105", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-07-24T00:47:10.124Z", "datePublished": "2025-08-16T11:11:24.459Z", "dateUpdated": "2026-04-08T17:13:34.024Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:13:34.024Z"}, "affected": [{"vendor": "pencidesign", "product": "Soledad", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "8.6.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The The Soledad theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8.6.7. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes."}], "title": "Soledad <= 8.6.7 - Unauthenticated Arbitrary Shortcode Execution", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a6c842bb-914a-47c1-aaac-e748f58e12ef?source=cve"}, {"url": "https://themeforest.net/item/soledad-multiconcept-blogmagazine-wp-theme/12945398#item-description__update-changelog"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "cweId": "CWE-94", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Matthew Rollings"}], "timeline": [{"time": "2025-07-25T17:27:32.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-08-15T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-18T18:00:32.162088Z", "id": "CVE-2025-8105", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-18T18:01:30.578Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-8105", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-18T18:00:32.162088Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-18T18:00:37.418Z"}}], "cna": {"title": "Soledad <= 8.6.7 - Unauthenticated Arbitrary Shortcode Execution", "credits": [{"lang": "en", "type": "finder", "value": "Matthew Rollings"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"}}], "affected": [{"vendor": "pencidesign", "product": "Soledad", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "8.6.7"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-07-25T17:27:32.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-08-15T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a6c842bb-914a-47c1-aaac-e748f58e12ef?source=cve"}, {"url": "https://themeforest.net/item/soledad-multiconcept-blogmagazine-wp-theme/12945398#item-description__update-changelog"}], "descriptions": [{"lang": "en", "value": "The The Soledad theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8.6.7. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-08-16T11:11:24.459Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8105", "state": "PUBLISHED", "dateUpdated": "2025-08-18T18:01:30.578Z", "dateReserved": "2025-07-24T00:47:10.124Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-08-16T11:11:24.459Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The The Soledad theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8.6.7. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes."}, {"lang": "es", "value": "El tema Soledad para WordPress es vulnerable a la ejecuci\u00f3n de shortcodes arbitrarios en todas las versiones hasta la 8.6.7 incluida. Esto se debe a que el software permite a los usuarios ejecutar una acci\u00f3n que no valida correctamente un valor antes de ejecutar do_shortcode. Esto permite que atacantes no autenticados ejecuten shortcodes arbitrarios."}], "id": "CVE-2025-8105", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-08-16T12:15:31.537", "references": [{"source": "security@wordfence.com", "url": "https://themeforest.net/item/soledad-multiconcept-blogmagazine-wp-theme/12945398#item-description__update-changelog"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a6c842bb-914a-47c1-aaac-e748f58e12ef?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T22:00:26.611366+00:00", "value": {"mitigation_remediation": ["Upgrade the Soledad theme to version 8.6.8 or later, which removes the flaw.", "If an upgrade is not immediately possible, restrict execution of shortcodes by disabling them for unauthenticated users or using a security plugin to block do_shortcode calls from external input.", "Ensure the WordPress core and all other plugins are updated to their latest secure releases."], "summary": {"action": "Apply Patch", "impact": "Arbitrary Shortcode Execution among unauthenticated users"}, "threat_synthesis": {"affected_systems": "All installations of the Soledad theme with versions 8.6.7 or earlier are affected. The theme is provided by pencidesign under the product name Soledad. No explicit version roll\u2011up is supplied beyond the upper bound of 8.6.7.", "description_and_impact": "The Soledad WordPress theme contains a flaw that allows attackers to execute PHP code via the do_shortcode handler without proper validation. This weakness, identified as CWE\u201194, enables the execution of arbitrary shortcodes, effectively giving an unauthenticated user the ability to run any PHP code that the shortcode mechanism accepts. The result can lead to full compromise of the affected website, including data theft, defacement, or installation of malicious components.", "risk_and_exploitability": "The CVSS score of 7.3 indicates a high severity, and the EPSS score of less than 1% suggests that actual exploitation is unlikely at present, yet the vulnerability remains exploitable by unauthenticated users. It is not listed in the CISA KEV catalog. The attack vector is likely via a crafted request that triggers the do_shortcode function, relying on the theme\u2019s lack of validation. An attacker does not need prior authentication to exploit the flaw, so the scope extends to any visitor of the affected site."}}}}, "created": "2025-08-18T20:46:35.397163+00:00", "updated": "2026-04-20T22:15:06.179813+00:00", "vendors": ["pencidesign", "pencidesign$PRODUCT$soledad", "wordpress", "wordpress$PRODUCT$wordpress"]}