XStore: Malicious Code Can Run in Browser

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

6.5

XStore: Malicious Code Can Run in Browser

CVE-2026-25305

Summary

XStore versions 9.6.4 and earlier may allow an attacker to inject malicious code into a website, potentially stealing user data or taking control of the site. This issue can be exploited by a hacker who sends a specially crafted request to the website. Upgrade to version 9.6.5 or later to fix the issue.

Original title

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 8theme XStore xstore allows DOM-Based XSS.This issue affects XStore: from n/a through <= 9.6.4.

Original description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 8theme XStore xstore allows DOM-Based XSS.This issue affects XStore: from n/a through <= 9.6.4.

nvd CVSS3.1 6.5

Vulnerability type

CWE-79 Cross-site Scripting (XSS)

https://patchstack.com/database/Wordpress/Theme/xstore/vulnerability/wordpress-x...

Published: 19 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026