Skip to main content

Xstore Core

9 CVEs product

Monthly

CVE-2026-25306 HIGH This Week

A Reflected Cross-Site Scripting (XSS) vulnerability exists in the 8theme XStore Core WordPress plugin (et-core-plugin) that allows attackers to inject malicious scripts into web pages viewed by victims. The vulnerability affects XStore Core versions up to and including 5.6.4, enabling reflected XSS attacks where unsanitized user input is echoed back in HTTP responses without proper neutralization. An attacker can craft malicious URLs containing JavaScript payloads that execute in a victim's browser when clicked, potentially stealing session tokens, credentials, or performing actions on behalf of the user.

XSS Xstore Core
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2024-33555 HIGH This Week

Missing Authorization vulnerability in 8theme XStore Core.3.8. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Xstore Core
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2024-33557 HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in 8theme XStore Core allows PHP Local File Inclusion.3.8. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal PHP Xstore Core
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2024-33552 CRITICAL Act Now

Improper Privilege Management vulnerability in 8theme XStore Core allows Privilege Escalation.3.8. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Xstore Core
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-33556 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in 8theme XStore Core.3.8. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload Xstore Core
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-33558 MEDIUM This Month

Missing Authorization vulnerability in 8theme XStore Core.3.5. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Xstore Core
NVD
CVSS 3.1
6.5
EPSS
0.5%
CVE-2024-33553 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in 8theme XStore Core.3.5. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Deserialization Xstore Core
NVD
CVSS 3.1
9.0
EPSS
0.7%
CVE-2024-33554 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 8theme XStore Core allows Reflected XSS.3.5. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Xstore Core
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2024-33551 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in 8theme XStore Core allows SQL Injection.3.5. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Xstore Core
NVD
CVSS 3.1
9.3
EPSS
0.6%
EPSS 0% CVSS 7.1
HIGH This Week

A Reflected Cross-Site Scripting (XSS) vulnerability exists in the 8theme XStore Core WordPress plugin (et-core-plugin) that allows attackers to inject malicious scripts into web pages viewed by victims. The vulnerability affects XStore Core versions up to and including 5.6.4, enabling reflected XSS attacks where unsanitized user input is echoed back in HTTP responses without proper neutralization. An attacker can craft malicious URLs containing JavaScript payloads that execute in a victim's browser when clicked, potentially stealing session tokens, credentials, or performing actions on behalf of the user.

XSS Xstore Core
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Missing Authorization vulnerability in 8theme XStore Core.3.8. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Xstore Core
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in 8theme XStore Core allows PHP Local File Inclusion.3.8. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal PHP Xstore Core
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Improper Privilege Management vulnerability in 8theme XStore Core allows Privilege Escalation.3.8. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Xstore Core
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in 8theme XStore Core.3.8. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload Xstore Core
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Missing Authorization vulnerability in 8theme XStore Core.3.5. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Xstore Core
NVD
EPSS 1% CVSS 9.0
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in 8theme XStore Core.3.5. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Deserialization Xstore Core
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 8theme XStore Core allows Reflected XSS.3.5. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Xstore Core
NVD
EPSS 1% CVSS 9.3
CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in 8theme XStore Core allows SQL Injection.3.5. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Xstore Core
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy