CVE-2025-64190

2025-12-30 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 30, 2025 - 16:15 nvd
N/A

Tags

WordPress PHP XSS

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 8theme XStore Core et-core-plugin allows DOM-Based XSS.This issue affects XStore Core: from n/a through < 5.6.

Analysis

DOM-based cross-site scripting (XSS) in 8theme XStore Core plugin (et-core-plugin) versions below 5.6 allows attackers to inject malicious scripts that execute in users' browsers during web page generation. The vulnerability affects WordPress installations using the vulnerable plugin, and while no CVSS score was assigned, the extremely low EPSS score (0.04%) suggests minimal real-world exploitation likelihood despite the XSS classification.

Technical Context

The vulnerability is a DOM-based XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation) in the 8theme XStore Core WordPress plugin (CPE: et-core-plugin). DOM-based XSS occurs when untrusted data flows from a source (typically user-controlled input or URL parameters) into a sink (DOM operations like innerHTML, eval, or document.write) without proper sanitization or encoding. This allows attackers to manipulate the DOM and execute arbitrary JavaScript in the context of the affected website. The et-core-plugin appears to be a WordPress theme or plugin component that processes user input during web page generation without adequately neutralizing potentially malicious content.

Affected Products

8theme XStore Core (et-core-plugin) versions from an unspecified starting point through version 5.5 are affected. The vulnerability is resolved in version 5.6 and later. The plugin is distributed via the WordPress plugin repository and is used in WordPress e-commerce and theme installations.

Remediation

Update the 8theme XStore Core plugin to version 5.6 or later immediately. WordPress administrators should navigate to the Plugins section in the WordPress admin dashboard, locate 'et-core-plugin' or 'XStore Core', and click 'Update' to fetch version 5.6 or the latest available version. If automatic updates are not enabled, download the patched version directly from the WordPress plugin repository or the 8theme official website. No workarounds for this DOM-based XSS vulnerability are documented; patching is the primary mitigation. Detailed remediation guidance is available in the Patchstack vulnerability database entry referenced in the advisory.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +0
POC: 0

Share

CVE-2025-64190 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy