CVE-2026-3326
Description
Xstore WordPress theme versions prior to 9.7.3 are vulnerable to unauthenticated SQL injection via AJAX actions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Xstore WordPress theme versions prior to 9.7.3 are vulnerable to unauthenticated SQL injection via AJAX actions.
Vulnerability
The Xstore WordPress theme versions prior to 9.7.3 contain a SQL injection vulnerability. This flaw exists because a parameter is not properly sanitized or escaped before being used in a SQL query within an AJAX action that is accessible to unauthenticated users [1].
Exploitation
An unauthenticated attacker can exploit this vulnerability by sending a specially crafted request to the theme's AJAX endpoint. This request would contain malicious SQL code within a parameter, which the vulnerable code path would then execute on the database [1].
Impact
Successful exploitation of this SQL injection vulnerability allows an unauthenticated attacker to read sensitive data from the WordPress database, potentially leading to information disclosure or further compromise of the website. The attacker can manipulate or extract data from the database [1].
Mitigation
The vulnerability is fixed in Xstore WordPress theme version 9.7.3. Users are advised to update to this version or a later one. No workarounds are mentioned in the available references, and the theme is not listed as end-of-life or on the KEV catalog [1].
AI Insight generated on Jun 10, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The theme does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action."
Attack vector
An unauthenticated user can trigger a SQL injection vulnerability by sending a crafted request to an AJAX action within the Xstore theme. The vulnerability exists because a parameter is not properly sanitized or escaped before being included in a SQL query. This allows an attacker to manipulate the query and potentially extract sensitive data from the database [ref_id=1].
Affected code
The vulnerability resides in an AJAX action within the Xstore WordPress theme that is accessible to unauthenticated users. Specifically, the theme fails to properly sanitize and escape a parameter before incorporating it into a SQL statement [ref_id=1].
What the fix does
The advisory indicates that the vulnerability is fixed in version 9.7.3 of the Xstore theme. The patch addresses the improper sanitization and escaping of a parameter used in SQL statements via an AJAX action. By correctly sanitizing and escaping user-supplied input, the theme prevents malicious SQL code from being injected into database queries [ref_id=1].
Preconditions
- authThe vulnerability is available to unauthenticated users.
- inputThe vulnerability is triggered by a parameter that is not properly sanitized or escaped.
Generated on Jun 10, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.