Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 8theme XStore Core et-core-plugin allows Reflected XSS.This issue affects XStore Core: from n/a through <= 5.6.4.
AnalysisAI
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the 8theme XStore Core WordPress plugin (et-core-plugin) that allows attackers to inject malicious scripts into web pages viewed by victims. The vulnerability affects XStore Core versions up to and including 5.6.4, enabling reflected XSS attacks where unsanitized user input is echoed back in HTTP responses without proper neutralization. An attacker can craft malicious URLs containing JavaScript payloads that execute in a victim's browser when clicked, potentially stealing session tokens, credentials, or performing actions on behalf of the user.
Technical ContextAI
The vulnerability is rooted in improper input neutralization during web page generation, classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The affected product is the 8theme XStore Core plugin (CPE: cpe:2.3:a:8theme:xstore_core:*:*:*:*:*:*:*:*), a WordPress plugin used for e-commerce functionality. The XStore Core plugin fails to properly sanitize and escape user-supplied input (such as query parameters or form data) before embedding it into HTML output. This classic reflected XSS flaw allows attackers to bypass Content Security Policy restrictions and execute arbitrary JavaScript in the context of the vulnerable web application, affecting any website running the vulnerable plugin versions.
RemediationAI
Immediately upgrade the 8theme XStore Core plugin to version 5.6.5 or later, which contains the security patch addressing the XSS vulnerability. Website administrators should verify the patched version is available from the official 8theme repository or WordPress.org plugin directory before deploying. For environments where immediate patching is not feasible, implement compensating controls including: enforce Content Security Policy (CSP) headers with script-src restrictions to prevent inline script execution, enable httponly and secure flags on all session cookies to mitigate session hijacking, and apply Web Application Firewall (WAF) rules to detect and block common XSS payload patterns in query parameters. Additionally, restrict plugin access via IP whitelisting if the vulnerable plugin is only used internally, and monitor access logs for suspicious query strings containing script tags or JavaScript protocols. Full details and any available security advisories should be obtained from the Patchstack reference: https://patchstack.com/database/Wordpress/Plugin/et-core-plugin/vulnerability/wordpress-xstore-core-plugin-5-6-4-reflected-cross-site-scripting-xss-vulnerability.
More in Xstore Core
View allImproper Privilege Management vulnerability in 8theme XStore Core allows Privilege Escalation.3.8. Rated critical severi
Unrestricted Upload of File with Dangerous Type vulnerability in 8theme XStore Core.3.8. Rated critical severity (CVSS 9
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in 8theme XStore Core
Deserialization of Untrusted Data vulnerability in 8theme XStore Core.3.5. Rated critical severity (CVSS 9.0), this vuln
Missing Authorization vulnerability in 8theme XStore Core.3.8. Rated high severity (CVSS 8.8), this vulnerability is rem
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in 8theme XStore Core allow
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 8theme XStore Core
Missing Authorization vulnerability in 8theme XStore Core.3.5. Rated medium severity (CVSS 6.5), this vulnerability is r
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15637
GHSA-qxqx-mccr-7j7g