What is the CVSS score of CVE-2024-33559?

CVE-2024-33559 has a CVSS 3.1 base score of 9.3 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L. EPSS exploitation probability: 5.8%.

Which versions of 8theme XStore are affected by CVE-2024-33559?

The 8theme XStore WordPress theme contains a critical SQL injection vulnerability (CVE-2024-33559, CVSS 9.3) affecting all versions through 9.3.5 that allows unauthenticated attackers to manipulate…

Is there a public PoC exploit available for CVE-2024-33559?

Yes, a public proof-of-concept exploit is available for CVE-2024-33559. Prioritise patching immediately. EPSS: 5.8%.

How to fix or mitigate CVE-2024-33559?

Within 24 hours: identify all WordPress installations using 8theme XStore theme versions ≤9.3.5; immediately deactivate the theme and deploy Web Application Firewall (WAF) rules to block SQL injection patterns targeting WordPress query parameters. Within 7 days: migrate affected sites to an alternative WordPress theme or implement strict database access controls and input validation patches at the application layer. Within 30 days: establish continuous monitoring for vendor security advisories and evaluate whether 8theme releases a patch for versions currently in use.

8theme XStore CVE-2024-33559

CRITICAL

SQL Injection (CWE-89)

2024-04-29 audit@patchstack.com

SQLi

9.3

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.3 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

Low

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in 8theme XStore allows SQL Injection.This issue affects XStore: from n/a through 9.3.5.

AnalysisAI

SQL injection in 8theme XStore WordPress theme versions up to and including 9.3.5 allows remote unauthenticated attackers to manipulate backend database queries by injecting crafted SQL syntax through user-controllable input. The flaw carries a CVSS 9.3 rating with scope change, and publicly available exploit code exists, while EPSS places exploitation probability at 5.82% (91st percentile), indicating elevated but not yet confirmed widespread abuse. No CISA KEV listing has been recorded for this issue at time of analysis.

Technical ContextAI

XStore is a widely deployed commercial WooCommerce/WordPress theme by 8theme used to power online retail storefronts. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), meaning user-supplied input is concatenated into SQL statements without proper parameterization or escaping via WordPress's $wpdb prepared statement APIs. Because the CVSS scope is Changed (S:C), the injected query likely crosses a trust boundary - for example, executing under the WordPress database user with access to authentication tables, customer PII, and order data beyond the vulnerable component's own context.

Affected ProductsAI

8theme XStore WordPress/WooCommerce theme from an unspecified earliest version through 9.3.5 inclusive. The vulnerability was reported and coordinated by Patchstack (audit@patchstack.com), and site administrators should consult the corresponding Patchstack advisory and the official 8theme changelog at 8theme.com for the authoritative list of fixed builds.

RemediationAI

Upgrade the XStore theme to the first vendor-fixed release published after 9.3.5 via the 8theme customer portal or the WordPress theme updater - refer to the Patchstack advisory (patchstack.com) and 8theme's changelog for the exact patched version, as no specific fix version was provided in the available intelligence and no vendor-released patched version is independently confirmed here. If immediate patching is not possible, deploy a WordPress-aware WAF such as Patchstack, Wordfence, or Cloudflare with virtual patching rules for this CVE, restrict access to non-essential XStore AJAX and REST endpoints at the web server level, and enable database query logging to detect injection attempts; note that aggressive WAF rules can break legitimate WooCommerce checkout flows, so tune rules in monitor mode first. Rotate WordPress database credentials and audit wp_users plus customer/order tables for signs of prior data extraction.

CVE-2024-33559 vulnerability details – vuln.today

Back

8theme XStore CVE-2024-33559

Severity by source

CVSS VectorNVD

DescriptionCVE.org

AnalysisAI

Technical ContextAI

Affected ProductsAI

RemediationAI

Share

External POC / Exploit Code