CVE-2024-33562
Description
Reflected XSS in WordPress XStore theme ≤9.3.5 allows attackers to inject malicious scripts via crafted requests.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS in WordPress XStore theme ≤9.3.5 allows attackers to inject malicious scripts via crafted requests.
Vulnerability
Overview CVE-2024-33562 is a reflected cross-site scripting (XSS) vulnerability in the XStore theme for WordPress, affecting versions from n/a through 9.3.5. The issue arises from improper neutralization of user input during web page generation, allowing unvalidated data to be reflected in server responses [1].
Exploitation
Details An attacker can exploit this vulnerability by crafting a malicious link or form that, when interacted with by a privileged user (e.g., administrator), executes injected scripts in the victim's browser. The attack requires user interaction, such as clicking a link or submitting a form, and does not require prior authentication to initiate the attack [1].
Impact
Successful exploitation allows an attacker to inject arbitrary HTML and JavaScript payloads, potentially leading to redirects, advertisements, data theft, or other malicious actions that affect both the website and its visitors [1].
Mitigation
The vendor has addressed this vulnerability in XStore version 9.3.9. Users are strongly advised to update to this version or later. Until an update is applied, Patchstack provides a mitigation rule to block exploitation attempts [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=9.3.5+ 1 more
- (no CPE)range: <=9.3.5
- (no CPE)range: <=9.3.5
Package: https://wordpress.org/themes/xstore
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.