CVE-2025-64192

Vulnerability

Overview

CVE-2025-64192 is a missing authorization vulnerability in the 8theme XStore WordPress theme. The issue affects all versions from n/a through 9.6 and stems from incorrectly configured access control security levels [1].

Exploitation

An attacker can exploit this broken access control flaw without requiring authentication or higher privileges. Due to the lack of proper authorization and nonce token checks, unprivileged users are able to execute higher-privileged actions within the theme's functionality [1]. This vulnerability is expected to become exploited and may be used in mass-exploit campaigns targeting thousands of websites regardless of their size or popularity [1].

Impact

Successful exploitation allows an attacker to bypass access restrictions and perform actions that should be reserved for higher-privileged users, such as administrators. This can lead to unauthorized changes to site settings, content, or user data, depending on the affected function [1].

Mitigation

The vendor has released a patched version 9.6 to resolve the vulnerability. Users are advised to update immediately to version 9.6 or later. For those unable to update, Patchstack has issued a mitigation rule to block attacks until the update is applied [1].