The vulnerability is an improper neutralization of input during web page generation, which allows a DOM‑based XSS flaw in the 8theme XStore Core plugin. An attacker can inject malicious JavaScript into a web page that is rendered by the browser, potentially stealing session cookies, hijacking user accounts, or defacing the site. The flaw does not provide direct server‑side code execution, but it can be leveraged for broader phishing or credential theft attacks if the victim interacts with the affected content.

Any WordPress site that has the XStore Core plugin installed at a version older than 5.6 is affected. The vulnerability applies to all pre‑5.6 releases of the plugin, regardless of the exact minor version, as the input sanitization logic is missing throughout that range.

The CVSS score of 6.5 indicates a medium severity in terms of confidentiality, integrity, and availability impact. The EPSS score is below 1%, suggesting a low probability that the flaw is actively exploited today. The flaw is not listed in CISA’s KEV catalog, and exploitation requires a user to load a page that contains injected input, meaning it typically depends on phishing or social engineering. The risk is mitigated by patching, but until then the vulnerability could be used to covertly compromise user sessions.