49 matches found
CVE-2025-11746
The XStore theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 9.5.4 via theetajaxrequiredpluginspopup function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary .php files on t...
CVE-2025-11746
The XStore theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 9.5.4 via theetajaxrequiredpluginspopup function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary .php files on t...
CVE-2025-11746 XStore | Multipurpose WooCommerce Theme <= 9.5.4 - Authenticated (Subscriber+) Local File Inclusion
The XStore theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 9.5.4 via theetajaxrequiredpluginspopup function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary .php files on t...
CVE-2025-11746 XStore | Multipurpose WooCommerce Theme <= 9.5.4 - Authenticated (Subscriber+) Local File Inclusion
The XStore theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 9.5.4 via theetajaxrequiredpluginspopup function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary .php files on t...
CVE-2025-11746
CVE-2025-11746 is an authenticated Local File Inclusion vulnerability affecting the WordPress XStore/Multi-purpose WooCommerce Theme (versions <= 9.5.4). Exploitation via theet_ajax_required_plugins_popup() enables an attacker with Subscriber+ privileges to include and execute arbitrary PHP co...
WordPress XStore theme <= 9.5.4 - Authenticated (Subscriber+) Local File Inclusion vulnerability
Authenticated Subscriber+ Local File Inclusion vulnerability discovered by khanhhnahk1 in WordPress Theme XStore versions = 9.5.4...
PT-2025-42227
The XStore theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 9.5.4 via theet ajax required plugins popup function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary .php files ...
WordPress XStore theme < 9.6 - Content Injection vulnerability
Content Injection vulnerability discovered by Rafie Muhammad Patchstack in WordPress Theme XStore versions 9.6...
CVE-2025-60100 WordPress XStore theme < 9.6 - Content Injection vulnerability
Improper Neutralization of Script-Related HTML Tags in a Web Page Basic XSS vulnerability in 8theme XStore xstore allows Code Injection.This issue affects XStore: from n/a through 9.6...
CVE-2025-60100 WordPress XStore theme < 9.6 - Content Injection vulnerability
Improper Neutralization of Script-Related HTML Tags in a Web Page Basic XSS vulnerability in 8theme XStore xstore allows Code Injection.This issue affects XStore: from n/a through 9.6...
WordPress XStore Theme <= 9.5.3 is vulnerable to Content Injection
Software XStore Type Theme Vulnerable versions = 9.5.3 Fixed in N/A OWASP Top 10 A3: Injection Classification Content Injection CVE CVE-2025-60100 Patch priority Low CVSS severity Low 5.3 Developer Claim ownership PSID 55131c12c2eb Credits Rafie Muhammad Patchstack Required privilege...
WordPress XStore theme < 9.6 - Broken Access Control vulnerability
Broken Access Control vulnerability discovered by Rafie Muhammad Patchstack in WordPress Theme XStore versions 9.6...
CVE-2024-33561 WordPress XStore theme <= 9.3.8 - Unauthenticated Broken Access Control vulnerability
Missing Authorization vulnerability in 8theme XStore.This issue affects XStore: from n/a through 9.3.8...
CVE-2024-33563 WordPress XStore theme <= 9.3.8 - Broken Access Control vulnerability
Missing Authorization vulnerability in 8theme XStore.This issue affects XStore: from n/a through 9.3.8...
WordPress XStore Theme 9.3.8 SQL Injection
Exploit Title: Wordpress Theme XStore 9.3.8 - SQLi Google Dork: N/A Date: 2024-05-16 Exploit Author: Abdualhadi khalifa https://twitter.com/absholily Version: 5.3.5 Tested on: Windows10 CVE: CVE-2024-33559 Poc POST /?s=%27%3B+SELECT++FROM+wpposts%3B+-- HTTP/1.1 Host: example.com User-Agent:...
XStore < 9.3.9 - Unauthenticated SQLi
Description The theme is vulnerable to SQL Injection due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that c...
XStore < 9.3.9 - Reflected Cross-Site Scripting
Description The theme is vulnerable to Reflected Cross-Site Scripting due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an...
WordPress XStore theme <= 9.3.8 - Arbitrary Option Update vulnerability
Arbitrary Option Update vulnerability discovered by Rafie Muhammad Patchstack in WordPress Theme XStore versions = 9.3.8...
WordPress XStore theme <= 9.3.8 - Broken Access Control vulnerability
Broken Access Control vulnerability discovered by Rafie Muhammad Patchstack in WordPress Theme XStore versions = 9.3.8...
WordPress XStore theme <= 9.3.8 - Reflected Cross Site Scripting (XSS) vulnerability
Reflected Cross Site Scripting XSS vulnerability discovered by Rafie Muhammad Patchstack in WordPress Theme XStore versions = 9.3.8...