CVE-2025-11746 - Vulnerability Details

- XStore | Multipurpose WooCommerce Theme <= 9.5.4 - Authenticated (Subscriber+) Local File Inclusion

Description

The XStore theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 9.5.4 via theet_ajax_required_plugins_popup() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.

Published: 2025-10-15

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The XStore theme for WordPress contains a Local File Inclusion vulnerability that can be triggered through the et_ajax_required_plugins_popup function. The flaw allows authenticated users with Subscriber-level access or higher to specify a file path that the theme will include, enabling the execution of arbitrary PHP code residing on the server. This can be used to bypass access controls, exfiltrate sensitive data, or execute arbitrary code, effectively providing attackers with full code execution capabilities on the affected host.

Affected Systems

Vendor 8theme’s XStore WordPress theme, all releases up to and including version 9.5.4. 8theme, XStore, version ≤9.5.4 are impacted.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.8, indicating a high severity impact if exploited. The EPSS score is below 1%, suggesting a very low exploitation probability, and the issue is not listed in the CISA KEV catalog. The attack requires a web-based vector: the attacker must authenticate to WordPress with at least Subscriber privileges, then send a crafted AJAX request to the et_ajax_required_plugins_popup endpoint that includes an arbitrary local PHP file path.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

8theme

XStore

unaffected

Version	Status	Constraints
`0`	affected	≤ 9.5.4

No data.

Vendor	Product	Confidence	Versions
8theme	Xstore	—	—
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the XStore theme to the latest available version (9.5.5 or newer) where the inclusion flaw is fixed.
If an upgrade cannot be performed immediately, modify the et_ajax_required_plugins_popup function to validate and sanitize the file path parameter, ensuring only allowed directories and extensions are included, or block the endpoint entirely for non-Administrator users.
Remove or rename any PHP files stored in the theme or plugin directories that should not be executable, and review upload policies to prevent unintended script uploads.
Monitor the server for unusual file inclusion or execution attempts by reviewing Apache/Nginx logs and WordPress audit logs for the AJAX endpoint usage.

Generated by OpenCVE AI on April 22, 2026 at 22:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00179.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://www.wordfence.com/threat-intel/vulnerabilities/id/2a49db7f-62fc-472d-9edf-de5edbe48219?source=cve
https://xstore.8theme.com/update-history/

History

Mon, 20 Oct 2025 13:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		8theme 8theme xstore Wordpress Wordpress wordpress
Vendors & Products		8theme 8theme xstore Wordpress Wordpress wordpress

Wed, 15 Oct 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 15 Oct 2025 03:00:00 +0000

Type	Values Removed	Values Added
Description		The XStore theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 9.5.4 via theet_ajax_required_plugins_popup() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
Title		XStore \| Multipurpose WooCommerce Theme <= 9.5.4 - Authenticated (Subscriber+) Local File Inclusion
Weaknesses		CWE-22
References		https://www.wordfence.com/threat-intel/vulnerabilities/id/2a49db7f-62fc-472d-9edf-de5edbe48219?source=cve https://xstore.8theme.com/update-history/
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

8theme Xstore

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-10-15T02:26:27.267Z

Updated: 2026-04-08T16:43:28.503Z

Reserved: 2025-10-14T14:23:56.888Z

Link: CVE-2025-11746

Vulnrichment

Updated: 2025-10-15T18:39:03.312Z

NVD

Status : Deferred

Published: 2025-10-15T03:15:33.377

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11746

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T22:15:26Z

Weaknesses

CWE-22

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object