Description
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in 8theme XStore xstore allows Code Injection.This issue affects XStore: from n/a through <= 9.6.4.
Published: 2026-02-19
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Apply Update
AI Analysis

Impact

The flaw is an improper neutralization of script‑related HTML tags that lets an attacker embed malicious code through shortcodes rendered by the XStore theme. This basic XSS vulnerability can allow injection of arbitrary JavaScript into page content, compromising the integrity and confidentiality of the site for users who visit the affected pages. While it does not guarantee remote code execution on the server, the ability to execute code on the client side can be leveraged for phishing, defacement, or credential theft.

Affected Systems

Every WordPress installation that uses the 8theme XStore theme version 9.6.4 or earlier is affected. The vulnerability applies to all releases starting from the earliest available to and including 9.6.4.

Risk and Exploitability

The CVSS score of 5.3 places this issue in the medium severity range, and the EPSS below 1% indicates a very low expected exploitation likelihood at present. It is not listed in CISA’s KEV catalog. The likely attack vector involves a remote actor who can insert or modify content—such as posts, pages, or comment submissions—that the theme processes without adequate sanitization. Authentication may be required to create or edit posts, but if public posting is enabled, it could be abused without credentials.

Generated by OpenCVE AI on April 16, 2026 at 06:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the XStore theme to the latest available version (9.6.5 or later) that includes the security fix.
  • If an upgrade cannot be performed immediately, disable or remove any custom shortcodes that accept arbitrary code input, and restrict the use of shortcodes to a safe, pre‑approved set.
  • Ensure that all user‑generated content is properly sanitized by WordPress’s built‑in escaping functions or a dedicated sanitization plugin that strips out script tags and other disallowed HTML elements.

Generated by OpenCVE AI on April 16, 2026 at 06:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Fri, 27 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared 8theme
8theme xstore
Wordpress
Wordpress wordpress
Vendors & Products 8theme
8theme xstore
Wordpress
Wordpress wordpress

Thu, 19 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in 8theme XStore xstore allows Code Injection.This issue affects XStore: from n/a through <= 9.6.4.
Title WordPress XStore theme <= 9.6.4 - Arbitrary Shortcode Execution vulnerability
Weaknesses CWE-80
References

Subscriptions

8theme Xstore
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:53.207Z

Reserved: 2026-01-28T09:50:57.104Z

Link: CVE-2026-25006

cve-icon Vulnrichment

Updated: 2026-02-27T16:20:36.899Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T09:16:14.497

Modified: 2026-04-27T21:16:26.943

Link: CVE-2026-25006

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T06:45:16Z

Weaknesses