Description
The Xstore WordPress theme before 9.7.3 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection
Published: 2026-06-10
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The XStore WordPress theme, versions prior to 9.7.3, contains an unauthenticated SQL injection flaw. An attacker can craft a malicious request to the theme’s AJAX endpoint, as no proper input sanitisation or escaping is performed before the value is incorporated into a SQL query. Successful exploitation could allow the attacker to read, modify, or delete database contents, compromising confidentiality, integrity, and availability of site data.

Affected Systems

The vulnerability affects the XStore WordPress theme before version 9.7.3. Any WordPress site using XStore prior to the 9.7.3 release is potentially impacted.

Risk and Exploitability

The attack vector is through an unauthenticated AJAX action that accepts crafted input. Because the user is not required to authenticate, any network user can attempt the injection. No EPSS data is available and the flaw is not listed in the CISA KEV catalog, but the lack of protection and the potential for full database compromise indicates a high severity risk. The CVSS score is 8.6. Exploitation does not require privileged access or complex setup beyond sending a specially constructed HTTP request to the vulnerable endpoint.

Generated by OpenCVE AI on June 10, 2026 at 12:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the XStore theme to version 9.7.3 or later, where the input sanitisation and escaping for the AJAX action have been corrected.
  • If an upgrade is delayed, block the vulnerable AJAX endpoint for non‑administrators or disable it entirely using a security plugin or custom code, thereby forcing the action to be admin‑only.
  • Configure a web application firewall or a rule that detects and blocks typical SQL injection patterns on the AJAX endpoint, and monitor server logs for suspicious queries attempting the injection.

Generated by OpenCVE AI on June 10, 2026 at 12:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Xstore
Xstore xstore
Vendors & Products Wordpress
Wordpress wordpress
Xstore
Xstore xstore
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89

Wed, 10 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Description The Xstore WordPress theme before 9.7.3 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection
Title XStore < 9.7.3 - Unauthenticated SQLi
References

Subscriptions

Wordpress Wordpress
Xstore Xstore
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-06-10T10:42:34.716Z

Reserved: 2026-02-27T14:03:17.900Z

Link: CVE-2026-3326

cve-icon Vulnrichment

Updated: 2026-06-10T10:42:31.211Z

cve-icon NVD

Status : Deferred

Published: 2026-06-10T07:16:25.263

Modified: 2026-06-10T19:41:25.327

Link: CVE-2026-3326

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T13:00:13Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')