WordPress XStore Theme <= 9.5.3 is vulnerable to Content Injection

Patch priority: low
Patch within 30 days Low priority
5.3
Medium severity CVSS 3.1 score
Published on 10 September, 2025

Vulnerability description

Rafie Muhammad (Patchstack) discovered and reported this Content Injection vulnerability in WordPress XStore Theme to Patchstack.

How to fix common vulnerabilities

How to reproduce

Unauthenticated Shortcode Execution

View the details on the attached .txt file

Additional information by researcher

-

Additional comment by Patchstack

Patch validated, waiting for release

See researcher files below

2fa1552c-d224-464b-a63f-d416ca373765.txt

How to disclose

To make the patching process easier and safer for all users, we recommend reading our memo about the most common vulnerabilities and the way these can be fixed. If you need help understanding some of the security concepts, don’t worry. That’s when we step in and help.

Please send us the patched version or code before releasing it, so we could help you avoid incomplete patches that could lead to inconveniences. Don’t delay security patch releases for other non-security updates. Ideally, security fixes would be released separately so users could update ASAP without fear of anything breaking. You can also join the free Patchstack mVDP program to have better control over the vulnerability patching and disclosure process.

Link to updated version
Request security audit instead
Found this useful? Thank Rafie Muhammad (Patchstack) for reporting this vulnerability. Buy a coffee ☕
Software
XStore
Developer
Claim ownership
Type
Theme
Vulnerable versions
<= 9.5.3
CVE
Not assigned yet
Classification
Content Injection
OWASP Top 10
A3: Injection
Required privilege
Unauthenticated
Credits
Rafie Muhammad (Patchstack) Rafie Muhammad (Patchstack)
Published
on 10 September, 2025
Start a managed security program with Patchstack as your point of contact. Apply for free
Request a security audit from our certified in-house security researchers. Request audit

Provide link to fix

© 2025 Patchstack DPA Privacy Policy Accessibility Terms & Conditions

Vulnerability mitigation

Pricing Application security (SCA) RapidMitigateNEW Threat Intelligence (API) Documentation VS Monarx VS Imunify360 VS Wordfence Log in

Code security

Managed VDP Security Suite BETANEW Active VDP directory875 Security auditing Compliance (CRA)NEW Log inNEW

Bug bounty

Bug bounty Leaderboard Guidelines LearnNEW Report Discord Log inNEW

Use cases

Web developers WebhostsNEW Software vendors WordPress WooCommerce

Resources

Vulnerability database Whitepaper 2025 Articles Case studiesNEW WebinarsNEW Vulnerability statistics

Patchstack

About Careers Merch store Media kit LinkedIn Facebook X
Mobile Menu

Let us know if we have missed a vulnerability reported elsewhere

Mobile Menu Close

Thank you for contributing!

Close Mobile Menu

Patch has been uploaded

Thank you for uploading the patch, we will look into the patch as soon as possible and get back at you.

Close