Skip to main content

XStore WordPress Theme CVE-2026-3326

| EUVD-2026-35985 HIGH
SQL Injection (CWE-89)
2026-06-10 WPScan GHSA-wgfw-5cw7-xmvc
SQLi WordPress
8.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Generated
Jun 10, 2026 - 11:22 vuln.today
CVSS changed
Jun 10, 2026 - 11:22 NVD
8.6 (HIGH)
Patch available
Jun 10, 2026 - 08:01 EUVD
CVE Published
Jun 10, 2026 - 06:00 nvd
HIGH 8.6
CVE Published
Jun 10, 2026 - 06:00 nvd
UNKNOWN (no severity yet)

DescriptionNVD

The Xstore WordPress theme before 9.7.3 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection

Articles & Coverage 1

News 5 New WordPress Vulnerabilities - 2 Critical, 3 With POC Jun 11, 2026

AnalysisAI

Unauthenticated SQL injection in the XStore WordPress theme before 9.7.3 allows remote attackers to inject arbitrary SQL queries through an AJAX action that fails to sanitise and escape a user-supplied parameter. Publicly available exploit code exists per WPScan, and the changed scope (S:C) with high confidentiality impact indicates an attacker can extract sensitive data across security boundaries - including WordPress user records, password hashes, and configuration secrets - without any credentials or user interaction.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Fingerprint XStore theme version
Delivery
Send crafted POST to admin-ajax.php
Exploit
Inject SQL via vulnerable AJAX parameter
Install
Exfiltrate wp_users hashes and secret keys
C2
Crack hashes offline
Execute
Authenticate as administrator
Impact
Deploy webshell or plugin backdoor
Sign in to reveal

Vulnerability AssessmentAI

Exploitation No authentication, no user interaction, and no special configuration are required - the vulnerable AJAX action is registered for unauthenticated users (wp_ajax_nopriv_*) and is reachable on default XStore deployments via /wp-admin/admin-ajax.php. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is high. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker discovers an XStore-powered storefront through Wappalyzer or theme fingerprinting, then sends a single crafted HTTP POST to /wp-admin/admin-ajax.php invoking the vulnerable XStore AJAX action with a malicious UNION-based payload in the unsanitised parameter. The response leaks administrator password hashes from wp_users and the auth/secret keys from wp_options, which the attacker then cracks offline or replays to hijack admin sessions. …
Remediation Upgrade the XStore theme to version 9.7.3 or later - this is the vendor-released patch and the only definitive fix; consult the WPScan advisory at https://wpscan.com/vulnerability/2c5bdb17-8b12-45b5-878b-627056dc8956/ and the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-3326 for confirmation. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Update all XStore WordPress theme installations to version 9.7.3 or later across all environments. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-8935 CRITICAL POC
9.8 Jun 15

The WP MAPS PRO WordPress plugin before 6.1.1 registers an unauthenticated AJAX action which, given a valid nonce that i
CVE-2026-10795 HIGH POC
8.1 Jun 11

Remote code execution in UpdraftPlus: WP Backup & Migration Plugin for WordPress (versions ≤1.26.4) allows unauthenticat
CVE-2026-8089 HIGH POC
7.1 Jun 17

The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin

CVE-2026-9570 HIGH POC
7.1 Jun 17

The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline

CVE-2026-52704 CRITICAL
10.0 Jun 15

Remote code execution in Edgar Rojas WooCommerce PDF Invoice Builder WordPress plugin (versions through 2.0.8) allows un

Share

CVE-2026-3326 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy