Description
The Xstore WordPress theme before 9.7.3 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection
Published: 2026-06-10
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The XStore WordPress theme, versions prior to 9.7.3, contains an unauthenticated SQL injection flaw. An attacker can craft a malicious request to the theme’s AJAX endpoint, as no proper input sanitisation or escaping is performed before the value is incorporated into a SQL query. Successful exploitation could allow the attacker to read, modify, or delete database contents, compromising confidentiality, integrity, and availability of site data.

Affected Systems

The vulnerability affects the XStore WordPress theme before version 9.7.3. Any WordPress site using XStore prior to the 9.7.3 release is potentially impacted.

Risk and Exploitability

The attack vector is through an unauthenticated AJAX action that accepts crafted input. Because the user is not required to authenticate, any network user can attempt the injection. No EPSS data is available and the flaw is not listed in the CISA KEV catalog, but the lack of protection and the potential for full database compromise indicates a high severity risk. Exploitation does not require privileged access or complex setup beyond sending a specially constructed HTTP request to the vulnerable endpoint.

Generated by OpenCVE AI on June 10, 2026 at 07:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the XStore theme to version 9.7.3 or later, where the input sanitisation and escaping for the AJAX action have been corrected.
  • If an upgrade is delayed, block the vulnerable AJAX endpoint for non‑administrators or disable it entirely using a security plugin or custom code, thereby forcing the action to be admin‑only.
  • Configure a web application firewall or a rule that detects and blocks typical SQL injection patterns on the AJAX endpoint, and monitor server logs for suspicious queries attempting the injection.

Generated by OpenCVE AI on June 10, 2026 at 07:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89

Wed, 10 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Description The Xstore WordPress theme before 9.7.3 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection
Title XStore < 9.7.3 - Unauthenticated SQLi
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-06-10T06:00:02.581Z

Reserved: 2026-02-27T14:03:17.900Z

Link: CVE-2026-3326

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T07:16:25.263

Modified: 2026-06-10T07:16:25.263

Link: CVE-2026-3326

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T07:30:25Z

Weaknesses