CVE-2025-64191

The 8theme XStore theme for WordPress, versions prior to 9.6.1, contains a reflected Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This flaw stems from insufficient sanitization of parameters reflected in server responses, enabling an attacker to embed arbitrary JavaScript or HTML payloads into rendered pages.

Attack exploitation requires user interaction, such as clicking a crafted link or submitting a specially prepared form [1]. While an attacker does not need authentication to inject the payload, the victim must perform an action (e.g., visiting a malicious URL) for the script to execute [1]. This attack vector is frequently leveraged in mass-exploit campaigns targeting thousands of WordPress sites regardless of their popularity [1].

Successful exploitation allows an attacker to execute malicious scripts in the context of the victim's browser session. This can be used to perform redirects to phishing pages, inject unwanted advertisements, or steal sensitive session information via cookie exfiltration [1]. The CVSS v3 score of 7.1 indicates moderate severity, with the vulnerability expected to become actively exploited [1].

Mitigation is straightforward: update the XStore theme to version 9.6.1 or later, which contains the fix [1]. For users unable to update immediately, Patchstack provides a virtual mitigation rule that blocks attacks until the patched version is applied [1]. Given the public availability of exploit details and the theme's widespread use, prompt patching is strongly recommended [1].