CVE-2025-64189

Vulnerability

Overview

CVE-2025-64189 is a reflected cross-site scripting (XSS) vulnerability in the 8theme XStore Core plugin (et-core-plugin) for WordPress. The issue stems from improper neutralization of user-supplied input during web page generation, allowing an attacker to inject arbitrary HTML and JavaScript into a response. This is a reflected XSS flaw, meaning the payload is delivered via a crafted link or form submission and executed in the context of the victim's browser [1].

Exploitation

Prerequisites

Exploitation requires user interaction — a privileged user (such as an administrator) must click a malicious link, visit a specially crafted page, or submit a form that triggers the vulnerable functionality. The attacker does not need prior authentication to the WordPress site, but the victim must be logged in with sufficient privileges for the attack to succeed in some scenarios. The vulnerability is considered moderately dangerous and is expected to be used in mass-exploit campaigns targeting thousands of websites regardless of size or popularity [1].

Impact

Successful exploitation allows an attacker to inject malicious scripts, including redirects, advertisements, and other HTML payloads. These scripts execute when other users (including visitors) access the affected page, potentially leading to session hijacking, defacement, or phishing attacks [1].

Mitigation

The vulnerability affects XStore Core versions from n/a through version 5.5.x of XStore Core. The vendor has released version 5.6 which resolves the issue. Users are strongly advised to update immediately. For those unable to update, Patchstack has issued a mitigation rule to block attacks until the update is applied [1].