Skip to main content

Xstore Core EUVDEUVD-2026-15637

| CVE-2026-25306 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-25 Patchstack GHSA-qxqx-mccr-7j7g
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15637
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 8theme XStore Core et-core-plugin allows Reflected XSS.This issue affects XStore Core: from n/a through <= 5.6.4.

AnalysisAI

A Reflected Cross-Site Scripting (XSS) vulnerability exists in the 8theme XStore Core WordPress plugin (et-core-plugin) that allows attackers to inject malicious scripts into web pages viewed by victims. The vulnerability affects XStore Core versions up to and including 5.6.4, enabling reflected XSS attacks where unsanitized user input is echoed back in HTTP responses without proper neutralization. An attacker can craft malicious URLs containing JavaScript payloads that execute in a victim's browser when clicked, potentially stealing session tokens, credentials, or performing actions on behalf of the user.

Technical ContextAI

The vulnerability is rooted in improper input neutralization during web page generation, classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The affected product is the 8theme XStore Core plugin (CPE: cpe:2.3:a:8theme:xstore_core:*:*:*:*:*:*:*:*), a WordPress plugin used for e-commerce functionality. The XStore Core plugin fails to properly sanitize and escape user-supplied input (such as query parameters or form data) before embedding it into HTML output. This classic reflected XSS flaw allows attackers to bypass Content Security Policy restrictions and execute arbitrary JavaScript in the context of the vulnerable web application, affecting any website running the vulnerable plugin versions.

RemediationAI

Immediately upgrade the 8theme XStore Core plugin to version 5.6.5 or later, which contains the security patch addressing the XSS vulnerability. Website administrators should verify the patched version is available from the official 8theme repository or WordPress.org plugin directory before deploying. For environments where immediate patching is not feasible, implement compensating controls including: enforce Content Security Policy (CSP) headers with script-src restrictions to prevent inline script execution, enable httponly and secure flags on all session cookies to mitigate session hijacking, and apply Web Application Firewall (WAF) rules to detect and block common XSS payload patterns in query parameters. Additionally, restrict plugin access via IP whitelisting if the vulnerable plugin is only used internally, and monitor access logs for suspicious query strings containing script tags or JavaScript protocols. Full details and any available security advisories should be obtained from the Patchstack reference: https://patchstack.com/database/Wordpress/Plugin/et-core-plugin/vulnerability/wordpress-xstore-core-plugin-5-6-4-reflected-cross-site-scripting-xss-vulnerability.

Share

EUVD-2026-15637 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy