Plataforma
wordpress
Componente
et-core-plugin
Corrigido em
5.6.5
CVE-2026-25306 describes a Reflected Cross-Site Scripting (XSS) vulnerability discovered in the XStore Core plugin for WordPress. This flaw allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to account compromise and data theft. The vulnerability impacts versions of XStore Core from 0.0.0 up to and including 5.6.4, and a patch is available in version 5.6.5.
The primary impact of this vulnerability is the ability for an attacker to execute arbitrary JavaScript code within the context of a victim's browser. This can be exploited to steal cookies, session tokens, and other sensitive information. An attacker could also redirect users to malicious websites, deface the website, or inject malware. Given the widespread use of WordPress and the XStore Core plugin, a successful exploitation could affect a large number of users and websites. The reflected nature of the XSS means that an attacker needs to trick a user into clicking a malicious link, but this is often achievable through phishing or social engineering techniques.
CVE-2026-25306 was publicly disclosed on 2026-03-25. No public proof-of-concept (PoC) code has been released at the time of this writing, but the vulnerability's nature makes it likely that PoCs will emerge. It is not currently listed on CISA KEV. The ease of exploitation, combined with the plugin's popularity, suggests a medium probability of exploitation.
Websites using the XStore Core plugin for WordPress, particularly those with user input fields or forms that are not properly sanitized, are at risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise of one website could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r 'XStore Core' /var/www/html/wp-content/plugins/
wp plugin list | grep 'XStore Core'• generic web:
curl -I https://example.com/?param=<script>alert(1)</script>disclosure
Status do Exploit
EPSS
0.04% (percentil 11%)
CISA SSVC
Vetor CVSS
The most effective mitigation is to immediately upgrade the XStore Core plugin to version 5.6.5 or later. If upgrading is not immediately possible due to compatibility issues or breaking changes, consider implementing input validation and output encoding on user-supplied data to prevent XSS. Web Application Firewalls (WAFs) can be configured to filter out malicious requests containing XSS payloads. Regularly scan your WordPress installation for vulnerabilities using security plugins and keep all plugins and themes updated.
Update to version 5.6.5, or a newer patched version
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-25306 is a Reflected XSS vulnerability in the XStore Core WordPress plugin, allowing attackers to inject malicious scripts via crafted URLs.
You are affected if you are using XStore Core versions 0.0.0 through 5.6.4. Upgrade to 5.6.5 or later to mitigate the risk.
Upgrade the XStore Core plugin to version 5.6.5 or later. If upgrading is not possible immediately, implement input validation and output encoding.
While no active exploitation has been confirmed, the vulnerability's nature makes it likely that exploitation attempts will occur.
Refer to the official XStore Core website or WordPress plugin repository for the latest advisory and update information.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.