WordPress XStore Core plugin <= 5.6.4 - Reflected Cross Site Scripting (XSS) vulnerability

The primary impact of this vulnerability is the ability for an attacker to execute arbitrary JavaScript code within the context of a victim's browser. This can be exploited to steal cookies, session tokens, and other sensitive information. An attacker could also redirect users to malicious websites, deface the website, or inject malware. Given the widespread use of WordPress and the XStore Core plugin, a successful exploitation could affect a large number of users and websites. The reflected nature of the XSS means that an attacker needs to trick a user into clicking a malicious link, but this is often achievable through phishing or social engineering techniques.

Websites using the XStore Core plugin for WordPress, particularly those with user input fields or forms that are not properly sanitized, are at risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise of one website could potentially lead to the compromise of others.

• wordpress / composer / npm:

grep -r 'XStore Core' /var/www/html/wp-content/plugins/
wp plugin list | grep 'XStore Core'

• generic web:

curl -I https://example.com/?param=<script>alert(1)</script>

1. 2026-03-25Disclosure

   disclosure

1. 已保留2026-02-02
2. 发布日期2026-03-25
3. 修改日期2026-04-28
4. EPSS 更新日期2026-04-02

The most effective mitigation is to immediately upgrade the XStore Core plugin to version 5.6.5 or later. If upgrading is not immediately possible due to compatibility issues or breaking changes, consider implementing input validation and output encoding on user-supplied data to prevent XSS. Web Application Firewalls (WAFs) can be configured to filter out malicious requests containing XSS payloads. Regularly scan your WordPress installation for vulnerabilities using security plugins and keep all plugins and themes updated.