Description
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in 8theme XStore xstore allows Code Injection.This issue affects XStore: from n/a through < 9.6.
Published: 2025-09-26
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a Basic XSS flaw that allows an attacker to inject script‑related HTML tags into a WordPress XStore theme, resulting in content injection. The improper neutralization of user‑provided input means malicious scripts can execute in the context of page visitors, potentially enabling defacement, credential theft, or further compromise.

Affected Systems

The flaw affects all released editions of the 8theme XStore theme prior to version 9.6, regardless of the specific sub‑release. Users running any earlier theme build are potentially exposed.

Risk and Exploitability

With a CVSS base score of 5.3, the risk is moderate. The EPSS score of less than 1 % indicates a very low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Attackers can likely deliver the payload through any administrator or customizer interface that accepts unescaped HTML, meaning the exploit path requires remote access to the site’s backend or an exposed input that accepts arbitrary markup.

Generated by OpenCVE AI on April 30, 2026 at 00:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the XStore theme to version 9.6 or later, which removes the vulnerable injection point.
  • Verify that no injected scripts remain in theme options, widgets or custom code blocks; delete any malicious content found.
  • If an upgrade is not immediately possible, restrict or disable theme customization features that allow raw HTML input, and enforce strict output encoding to neutralize script tags.

Generated by OpenCVE AI on April 30, 2026 at 00:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-31300 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in 8theme XStore allows Code Injection. This issue affects XStore: from n/a through 9.5.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in 8theme XStore allows Code Injection. This issue affects XStore: from n/a through 9.5.3. Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in 8theme XStore xstore allows Code Injection.This issue affects XStore: from n/a through < 9.6.
Title WordPress XStore Theme <= 9.5.3 - Content Injection Vulnerability WordPress XStore theme < 9.6 - Content Injection vulnerability
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Mon, 29 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 29 Sep 2025 09:45:00 +0000

Type Values Removed Values Added
First Time appeared 8theme
8theme xstore
Wordpress
Wordpress wordpress
Vendors & Products 8theme
8theme xstore
Wordpress
Wordpress wordpress

Fri, 26 Sep 2025 08:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in 8theme XStore allows Code Injection. This issue affects XStore: from n/a through 9.5.3.
Title WordPress XStore Theme <= 9.5.3 - Content Injection Vulnerability
Weaknesses CWE-80
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

8theme Xstore
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:54.811Z

Reserved: 2025-09-25T15:20:16.564Z

Link: CVE-2025-60100

cve-icon Vulnrichment

Updated: 2025-09-29T15:58:53.211Z

cve-icon NVD

Status : Deferred

Published: 2025-09-26T09:15:35.447

Modified: 2026-04-23T15:34:13.150

Link: CVE-2025-60100

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T00:15:23Z

Weaknesses