Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 8theme XStore Core et-core-plugin allows DOM-Based XSS.This issue affects XStore Core: from n/a through < 5.7.
Published: 2026-02-19
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross-Site Scripting (DOM-Based)
Action: Patch
AI Analysis

Impact

This vulnerability arises from improper input sanitization in the 8theme XStore Core plugin, allowing attackers to inject and execute malicious scripts in users' browsers during page rendering. The flaw is a DOM‑based Cross‑Site Scripting (XSS) vulnerability.

Affected Systems

The affected product is 8theme XStore Core for WordPress, specifically versions up to but not including 5.7. Users running any pre‑5.7 release are vulnerable.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate risk, while the EPSS score of less than 1% suggests a low probability of exploitation so far and it is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attacker could use a crafted URL or form input that the browser processes, executing attacker‑supplied JavaScript within the context of the site. Attacks are client‑side and require victim interaction, such as clicking a link or visiting an injected page.

Generated by OpenCVE AI on April 16, 2026 at 17:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the XStore Core plugin to version 5.7 or later.
  • If the upgrade cannot be performed immediately, consider disabling the plugin or restricting its usage to trusted users.
  • Deploy a web application firewall or input validation rules that block JavaScript payloads in user input.

Generated by OpenCVE AI on April 16, 2026 at 17:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared 8theme
8theme xstore Core
Wordpress
Wordpress wordpress
Vendors & Products 8theme
8theme xstore Core
Wordpress
Wordpress wordpress

Thu, 19 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 8theme XStore Core et-core-plugin allows DOM-Based XSS.This issue affects XStore Core: from n/a through < 5.7.
Title WordPress XStore Core plugin < 5.7 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

8theme Xstore Core
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:14:43.839Z

Reserved: 2026-02-02T12:20:39.016Z

Link: CVE-2026-25307

cve-icon Vulnrichment

Updated: 2026-02-20T16:52:27.328Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T09:16:14.920

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-25307

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T17:15:17Z

Weaknesses