CVE-2026-25307 WordPress XStore Core plugin < 5.7 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in 8theme XStore Core et-core-plugin allows DOM-Based XSS.This issue affects XStore Core: from n/a through 5.7...

CVE-2026-25006 WordPress XStore theme <= 9.6.4 - Arbitrary Shortcode Execution vulnerability

Improper Neutralization of Script-Related HTML Tags in a Web Page Basic XSS vulnerability in 8theme XStore xstore allows Code Injection.This issue affects XStore: from n/a through = 9.6.4...

CVE-2025-64189

CVE-2025-64189 affects the WordPress XStore Core et-core-plugin. It is a Cross-Site Scripting (Reflected XSS) vulnerability caused by improper input neutralization during web page generation. The issue affects XStore Core versions from n/a up to and including

CVE-2025-64192

CVE-2025-64192 affects the WordPress XStore theme (XStore) with versions prior to 9.6. The issue is a Missing Authorization vulnerability caused by broken access control, allowing exploitation due to improperly configured access levels. Public documentation in the connected sources confirms the i...

CVE-2025-64193

CVE-2025-64193 affects WordPress XStore plugin vulnerabilities: an improper control of filenames for PHP include/require leads to Local File Inclusion in XStore versions prior to 9.6.1. The issue is described as a PHP Remote File Inclusion-type flaw that enables LFI within the XStore code path. A...

CVE-2025-64193 WordPress XStore theme < 9.6.1 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in 8theme XStore xstore allows PHP Local File Inclusion.This issue affects XStore: from n/a through 9.6.1...

CVE-2025-64192 WordPress XStore theme < 9.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in 8theme XStore xstore allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects XStore: from n/a through 9.6...

CVE-2025-60100

CVE-2025-60100 is linked to 8theme XStore for WordPress. The connected documents indicate an unauthenticated, arbitrary shortcode execution vulnerability in XStore versions up to 9.5.3, caused by improper neutralization of script-related HTML tags in a web page (basic XSS). The Wordfence entry li...

WordPress XStore theme <= 9.3.8 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by Rafie Muhammad Patchstack in WordPress Theme XStore versions = 9.3.8...

WordPress XStore Core plugin <= 5.3.8 - Limited Arbitrary File Upload vulnerability

Limited Arbitrary File Upload vulnerability discovered by Rafie Muhammad Patchstack in WordPress Plugin XStore Core versions = 5.3.8...

WordPress XStore Theme <= 9.3.8 is vulnerable to Cross Site Scripting (XSS)

Software XStore Type Theme Vulnerable versions = 9.3.8 Fixed in 9.3.9 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2024-33562 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 5d1626b7824f Credits Rafie Muhammad Patchstack Required privile...

WordPress XStore Core Plugin <= 5.3.8 is vulnerable to Arbitrary File Download

Software XStore Core Type Plugin Vulnerable versions = 5.3.8 Fixed in 5.3.9 OWASP Top 10 A1: Broken Access Control Classification Arbitrary File Download CVE CVE-2024-33558 Patch priority High CVSS severity High 6.5 Developer Claim ownership PSID 535d5071f992 Credits Rafie Muhammad Patchstack...

WordPress XStore Theme <= 9.3.8 is vulnerable to Broken Access Control

Software XStore Type Theme Vulnerable versions = 9.3.8 Fixed in 9.3.9 OWASP Top 10 A1: Broken Access Control Classification Broken Access Control CVE CVE-2024-33561 Patch priority High CVSS severity High 7.5 Developer Claim ownership PSID b6ec6d6c7945 Credits Rafie Muhammad Patchstack Required...

WordPress XStore Core Plugin <= 5.3.8 is vulnerable to Arbitrary File Upload

Software XStore Core Type Plugin Vulnerable versions = 5.3.8 Fixed in 5.3.9 OWASP Top 10 A1: Broken Access Control Classification Arbitrary File Upload CVE CVE-2024-33556 Patch priority High CVSS severity High 8.2 Developer Claim ownership PSID 108b732f3dae Credits Rafie Muhammad Patchstack...