Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 8theme XStore Core et-core-plugin allows Reflected XSS.This issue affects XStore Core: from n/a through < 5.6.
Published: 2025-12-18
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is an improper neutralization of input during web page generation that allows attackers to inject malicious JavaScript that is reflected back to the victim. This Reflected XSS can execute arbitrary code in the context of the target site, potentially leading to session hijacking, defacement, or phishing. The weakness is a classic input‑validation flaw identified as CWE‑79 and requires no authentication to trigger. An attacker can exploit it by delivering a crafted URL or form to a user of the vulnerable WordPress site.

Affected Systems

The vulnerability affects the XStore Core WordPress plugin provided by 8theme. All releases of the plugin prior to version 5.6 are susceptible. Any WordPress site that has not upgraded beyond 5.5.x or earlier is at risk.

Risk and Exploitability

The CVSS score of 7.1 indicates high impact, but the EPSS score of less than 1 % suggests a very low current exploitation probability. The flaw is not yet listed in the CISA KEV catalog. Attackers can exploit it through the web interface by getting a user to visit a crafted URL or submit a malicious form; no additional privileges are required, making it a low‑barrier attack vector.

Generated by OpenCVE AI on April 29, 2026 at 18:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the XStore Core plugin to version 5.6 or later, which removes the vulnerable code path.
  • If an immediate update is not possible, temporarily disable or delete the plugin to eliminate the attack surface.
  • Deploy a web application firewall or configure the web server to escape or sanitize all user‑supplied content that is rendered by the theme as an additional defense against XSS vectors.

Generated by OpenCVE AI on April 29, 2026 at 18:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Fri, 19 Dec 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared 8theme
8theme xstore Core
Wordpress
Wordpress wordpress
Vendors & Products 8theme
8theme xstore Core
Wordpress
Wordpress wordpress

Thu, 18 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 18 Dec 2025 07:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 8theme XStore Core et-core-plugin allows Reflected XSS.This issue affects XStore Core: from n/a through < 5.6.
Title WordPress XStore Core plugin < 5.6 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

8theme Xstore Core
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:10.269Z

Reserved: 2025-10-29T03:06:57.130Z

Link: CVE-2025-64189

cve-icon Vulnrichment

Updated: 2025-12-18T19:43:01.280Z

cve-icon NVD

Status : Deferred

Published: 2025-12-18T08:16:10.243

Modified: 2026-04-27T16:16:34.463

Link: CVE-2025-64189

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T19:00:06Z

Weaknesses