Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 8theme XStore Core et-core-plugin allows Reflected XSS.This issue affects XStore Core: from n/a through <= 5.6.4.
Published: 2026-03-25
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross-Site Scripting
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an improper neutralization of input during web page generation, allowing attackers to inject and execute arbitrary script code in the context of a victim’s browser. This reflected XSS flaw can enable attackers to steal session cookies, deface content, or redirect users, thereby compromising confidentiality and integrity of user data.

Affected Systems

The issue affects the WordPress XStore Core plugin, used by 8theme XStore Core. All releases from the earliest available version up to and including version 5.6.4 are vulnerable.

Risk and Exploitability

The CVSS score of 7.1 indicates a high likelihood of exploitation if a user visits a maliciously crafted URL. The EPSS score is not available and the flaw is not listed in the CISA KEV catalog, suggesting it is not a known exploit but could be discovered given the high score. Attackers typically construct a URL containing the malformed parameter that leads to script execution; no special privileges or additional conditions are required to exploit the flaw.

Generated by OpenCVE AI on March 25, 2026 at 23:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the XStore Core plugin to version 5.6.5 or later.

Generated by OpenCVE AI on March 25, 2026 at 23:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared 8theme
8theme xstore Core
Wordpress
Wordpress wordpress
Vendors & Products 8theme
8theme xstore Core
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 8theme XStore Core et-core-plugin allows Reflected XSS.This issue affects XStore Core: from n/a through <= 5.6.4.
Title WordPress XStore Core plugin <= 5.6.4 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

8theme Xstore Core
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-25T20:23:32.043Z

Reserved: 2026-02-02T12:20:39.015Z

Link: CVE-2026-25306

cve-icon Vulnrichment

Updated: 2026-03-25T20:17:24.292Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:43.653

Modified: 2026-03-30T13:27:12.923

Link: CVE-2026-25306

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:12:58Z

Weaknesses