{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25006", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-28T09:50:57.104Z", "datePublished": "2026-02-19T08:26:52.080Z", "dateUpdated": "2026-04-28T16:14:53.207Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "xstore", "product": "XStore", "vendor": "8theme", "versions": [{"changes": [{"at": "9.6.5", "status": "unaffected"}], "lessThanOrEqual": "9.6.4", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:21:04.932Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in 8theme XStore xstore allows Code Injection.<p>This issue affects XStore: from n/a through <= 9.6.4.</p>"}], "value": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in 8theme XStore xstore allows Code Injection.This issue affects XStore: from n/a through <= 9.6.4."}], "impacts": [{"capecId": "CAPEC-242", "descriptions": [{"lang": "en", "value": "Code Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-80", "description": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:53.207Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/xstore/vulnerability/wordpress-xstore-theme-9-6-4-arbitrary-shortcode-execution-vulnerability?_s_id=cve"}], "title": "WordPress XStore theme <= 9.6.4 - Arbitrary Shortcode Execution vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-27T16:20:20.946777Z", "id": "CVE-2026-25006", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T20:08:36.535Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25006", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-27T16:20:20.946777Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T16:20:36.899Z"}}], "cna": {"title": "WordPress XStore theme <= 9.6.4 - Arbitrary Shortcode Execution vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-242", "descriptions": [{"lang": "en", "value": "Code Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "8theme", "product": "XStore", "versions": [{"status": "affected", "changes": [{"at": "9.6.5", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "9.6.4"}], "packageName": "xstore", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:21:04.932Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/xstore/vulnerability/wordpress-xstore-theme-9-6-4-arbitrary-shortcode-execution-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in 8theme XStore xstore allows Code Injection.This issue affects XStore: from n/a through <= 9.6.4.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in 8theme XStore xstore allows Code Injection.<p>This issue affects XStore: from n/a through <= 9.6.4.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-80", "description": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:07.693Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25006", "state": "PUBLISHED", "dateUpdated": "2026-04-27T20:08:36.535Z", "dateReserved": "2026-01-28T09:50:57.104Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-19T08:26:52.080Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in 8theme XStore xstore allows Code Injection.This issue affects XStore: from n/a through <= 9.6.4."}, {"lang": "es", "value": "Neutralizaci\u00f3n Incorrecta de Etiquetas HTML Relacionadas con Scripts en una P\u00e1gina Web (XSS B\u00e1sico) vulnerabilidad en 8theme XStore xstore permite la Inyecci\u00f3n de C\u00f3digo. Este problema afecta a XStore: desde n/a hasta &lt;= 9.6.4."}], "id": "CVE-2026-25006", "lastModified": "2026-04-27T21:16:26.943", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-02-19T09:16:14.497", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/xstore/vulnerability/wordpress-xstore-theme-9-6-4-arbitrary-shortcode-execution-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-80"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,9.6.4]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[9.6.5,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "XStore", "source": "cna", "vendor": "8theme"}, "product": "xstore", "vendor": "8theme"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T06:39:30.008161+00:00", "value": {"mitigation_remediation": ["Upgrade the XStore theme to the latest available version (9.6.5 or later) that includes the security fix.", "If an upgrade cannot be performed immediately, disable or remove any custom shortcodes that accept arbitrary code input, and restrict the use of shortcodes to a safe, pre\u2011approved set.", "Ensure that all user\u2011generated content is properly sanitized by WordPress\u2019s built\u2011in escaping functions or a dedicated sanitization plugin that strips out script tags and other disallowed HTML elements."], "summary": {"action": "Apply Update", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Every WordPress installation that uses the 8theme XStore theme version 9.6.4 or earlier is affected. The vulnerability applies to all releases starting from the earliest available to and including 9.6.4.", "description_and_impact": "The flaw is an improper neutralization of script\u2011related HTML tags that lets an attacker embed malicious code through shortcodes rendered by the XStore theme. This basic XSS vulnerability can allow injection of arbitrary JavaScript into page content, compromising the integrity and confidentiality of the site for users who visit the affected pages. While it does not guarantee remote code execution on the server, the ability to execute code on the client side can be leveraged for phishing, defacement, or credential theft.", "risk_and_exploitability": "The CVSS score of 5.3 places this issue in the medium severity range, and the EPSS below 1% indicates a very low expected exploitation likelihood at present. It is not listed in CISA\u2019s KEV catalog. The likely attack vector involves a remote actor who can insert or modify content\u2014such as posts, pages, or comment submissions\u2014that the theme processes without adequate sanitization. Authentication may be required to create or edit posts, but if public posting is enabled, it could be abused without credentials."}}}}, "created": "2026-02-20T10:11:07.645458+00:00", "updated": "2026-04-16T06:45:16.316035+00:00", "vendors": ["8theme", "8theme$PRODUCT$xstore", "wordpress", "wordpress$PRODUCT$wordpress"]}