Platform
wordpress
Component
et-core-plugin
Fixed in
5.6.5
CVE-2026-25306 describes a Reflected Cross-Site Scripting (XSS) vulnerability discovered in the XStore Core plugin for WordPress. This flaw allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to account compromise and data theft. The vulnerability impacts versions of XStore Core from 0.0.0 up to and including 5.6.4, and a patch is available in version 5.6.5.
The primary impact of this vulnerability is the ability for an attacker to execute arbitrary JavaScript code within the context of a victim's browser. This can be exploited to steal cookies, session tokens, and other sensitive information. An attacker could also redirect users to malicious websites, deface the website, or inject malware. Given the widespread use of WordPress and the XStore Core plugin, a successful exploitation could affect a large number of users and websites. The reflected nature of the XSS means that an attacker needs to trick a user into clicking a malicious link, but this is often achievable through phishing or social engineering techniques.
CVE-2026-25306 was publicly disclosed on 2026-03-25. No public proof-of-concept (PoC) code has been released at the time of this writing, but the vulnerability's nature makes it likely that PoCs will emerge. It is not currently listed on CISA KEV. The ease of exploitation, combined with the plugin's popularity, suggests a medium probability of exploitation.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
CVSS Vector
The most effective mitigation is to immediately upgrade the XStore Core plugin to version 5.6.5 or later. If upgrading is not immediately possible due to compatibility issues or breaking changes, consider implementing input validation and output encoding on user-supplied data to prevent XSS. Web Application Firewalls (WAFs) can be configured to filter out malicious requests containing XSS payloads. Regularly scan your WordPress installation for vulnerabilities using security plugins and keep all plugins and themes updated.
Update to version 5.6.5, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-25306 is a Reflected XSS vulnerability in the XStore Core WordPress plugin, allowing attackers to inject malicious scripts via crafted URLs.
You are affected if you are using XStore Core versions 0.0.0 through 5.6.4. Upgrade to 5.6.5 or later to mitigate the risk.
Upgrade the XStore Core plugin to version 5.6.5 or later. If upgrading is not possible immediately, implement input validation and output encoding.
While no active exploitation has been confirmed, the vulnerability's nature makes it likely that exploitation attempts will occur.
Refer to the official XStore Core website or WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.