Plattform
wordpress
Komponente
xstore
Behoben in
9.5.5
CVE-2025-11746 describes a Local File Inclusion (LFI) vulnerability affecting the XStore WordPress theme. This vulnerability allows authenticated attackers with Subscriber access or higher to include and execute arbitrary PHP files on the server. The vulnerability impacts versions 0.0.0 through 9.5.4 of the XStore theme, and a patch is available in version 9.5.5.
An attacker exploiting this LFI vulnerability can achieve remote code execution on the WordPress server. By crafting malicious PHP files and including them through the etajaxrequiredpluginspopup() function, an attacker can bypass access controls and execute arbitrary code. This could lead to data breaches, website defacement, or complete server compromise. The ability to upload and include .php files is a prerequisite for successful exploitation, but if present, the impact is significant. This vulnerability shares similarities with other LFI exploits where attackers leverage file inclusion to gain unauthorized access and control.
CVE-2025-11746 was publicly disclosed on 2025-10-15. No public proof-of-concept (PoC) code has been identified at the time of writing. The CVSS score of 8.8 (HIGH) indicates a significant risk. It is not currently listed on the CISA KEV catalog. Active exploitation is not confirmed, but the ease of exploitation, if file upload is enabled, warrants immediate attention.
Websites using the XStore WordPress theme, particularly those with file upload functionality enabled, are at risk. Shared hosting environments where users have limited control over server configurations are also particularly vulnerable, as they may be unaware of the outdated theme version or lack the ability to perform updates.
• wordpress / composer / npm:
grep -r 'et_ajax_required_plugins_popup()' /var/www/html/wp-content/themes/xstore/• wordpress / composer / npm:
wp plugin list | grep xstore• wordpress / composer / npm:
find /var/www/html/wp-content/uploads/ -name '*.php' -type fdisclosure
Exploit-Status
EPSS
0.15% (36% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-11746 is to immediately upgrade the XStore WordPress theme to version 9.5.5 or later. If upgrading is not immediately feasible, consider restricting file upload permissions to prevent attackers from uploading malicious PHP files. Implement a Web Application Firewall (WAF) with rules to block attempts to include arbitrary files. Monitor WordPress logs for suspicious file inclusion attempts, particularly targeting the etajaxrequiredpluginspopup() function. After upgrading, verify the fix by attempting to access a non-existent PHP file through the vulnerable function and confirming that access is denied.
Actualice el tema XStore a la versión 9.5.5 o superior para mitigar la vulnerabilidad de inclusión de archivos locales. Verifique la fuente de los archivos incluidos para evitar la ejecución de código malicioso. Implemente controles de acceso más estrictos para limitar el acceso a funciones sensibles.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-11746 is a Local File Inclusion vulnerability in the XStore WordPress theme, allowing authenticated attackers to execute arbitrary PHP code.
You are affected if you are using XStore WordPress theme versions 0.0.0 through 9.5.4.
Upgrade the XStore WordPress theme to version 9.5.5 or later. Consider WAF rules and file upload restrictions as temporary mitigations.
While no widespread exploitation has been confirmed, the vulnerability's nature suggests potential for exploitation, and monitoring is advised.
Refer to the XStore theme developer's website or WordPress plugin repository for the official advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.