Platform
wordpress
Component
xstore
Fixed in
9.5.5
CVE-2025-11746 describes a Local File Inclusion (LFI) vulnerability affecting the XStore WordPress theme. This vulnerability allows authenticated attackers with Subscriber access or higher to include and execute arbitrary PHP files on the server. The vulnerability impacts versions 0.0.0 through 9.5.4 of the XStore theme, and a patch is available in version 9.5.5.
An attacker exploiting this LFI vulnerability can achieve remote code execution on the WordPress server. By crafting malicious PHP files and including them through the etajaxrequiredpluginspopup() function, an attacker can bypass access controls and execute arbitrary code. This could lead to data breaches, website defacement, or complete server compromise. The ability to upload and include .php files is a prerequisite for successful exploitation, but if present, the impact is significant. This vulnerability shares similarities with other LFI exploits where attackers leverage file inclusion to gain unauthorized access and control.
CVE-2025-11746 was publicly disclosed on 2025-10-15. While no public proof-of-concept (PoC) code has been widely reported, the vulnerability's nature makes it likely that PoCs will emerge. The EPSS score is likely medium, given the ease of exploitation once file upload is enabled and the potential for significant impact. It is advisable to monitor security advisories and threat intelligence feeds for any signs of active exploitation.
Exploit Status
EPSS
0.15% (36% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-11746 is to immediately upgrade the XStore WordPress theme to version 9.5.5 or later. If upgrading is not immediately feasible, consider restricting file upload permissions to prevent attackers from uploading malicious PHP files. Implement a Web Application Firewall (WAF) with rules to block attempts to include arbitrary files, particularly those targeting the etajaxrequiredpluginspopup() function. Regularly scan the WordPress installation for unauthorized PHP files and review file upload configurations.
Actualice el tema XStore a la versión 9.5.5 o superior para mitigar la vulnerabilidad de inclusión de archivos locales. Verifique la fuente de los archivos incluidos para evitar la ejecución de código malicioso. Implemente controles de acceso más estrictos para limitar el acceso a funciones sensibles.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-11746 is a Local File Inclusion vulnerability in the XStore WordPress theme, allowing authenticated attackers to execute arbitrary PHP code.
You are affected if you are using XStore WordPress theme versions 0.0.0 through 9.5.4.
Upgrade the XStore WordPress theme to version 9.5.5 or later. Consider WAF rules and file upload restrictions as temporary mitigations.
While no widespread exploitation has been confirmed, the vulnerability's nature suggests potential for exploitation, and monitoring is advised.
Refer to the XStore theme developer's website or WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.