VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 11 known issues Latest disclosed Mar 17, 2026

XStore Core Vulnerabilities

Review known vulnerability records for the WordPress plugin XStore Core (`et-core-plugin`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-25306, CVE-2025-64190 and CVE-2025-64189, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
11
High or Critical
5
Patch Coverage
100%
Last Updated
Mar 27, 2026
Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for XStore Core so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
11 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
4 critical and 1 high severity finding.
Recent CVEs
CVE-2026-25306, CVE-2025-64190 and CVE-2025-64189
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

CVE-2025-64189 Medium Patch path listed

XStore Core < 5.6 - Reflected Cross-Site Scripting

The XStore Core plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to 5.6 due to insufficient input sanitization and output escaping. This makes it possible...

Published
Oct 17, 2025
Patch Status
5.6
Open Full Report
Known Vulnerabilities

Reports for XStore Core

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2026-25306
XStore Core <= 5.6.4 - Reflected Cross-Site Scripting

The XStore Core plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 5.6.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages t...

Published
Mar 17, 2026
Patched Release
5.6.5
Affected Versions
Versions up to 5.6.4
Next Step
Update to 5.6.5 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-64190
XStore Core < 5.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

The XStore Core plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to 5.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web...

Published
Dec 30, 2025
Patched Release
5.6
Affected Versions
Versions before 5.6
Next Step
Update to 5.6 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-64189
XStore Core < 5.6 - Reflected Cross-Site Scripting

The XStore Core plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to 5.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if the...

Published
Oct 17, 2025
Patched Release
5.6
Affected Versions
Versions before 5.6
Next Step
Update to 5.6 or newer if supported.
Open Full Report Open CVE Reference
Plugin Critical Patched: Yes CVE-2024-33553
XStore Core <= 5.3.8 - Unauthenticated PHP Object Injection

The XStore Core plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.3.8 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable pl...

Published
Apr 25, 2024
Patched Release
5.3.9
Affected Versions
Versions up to 5.3.8
Next Step
Update to 5.3.9 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-33558
XStore Core <= 5.3.8 - Authenticated (Subscriber+) Limited Arbitrary File Download

The et-core-plugin plugin for WordPress is vulnerable to arbitrary file downloads in all versions up to, and including, 5.3.8. This is due to the plugin not properly restricting which files can be downloaded. This makes it possible for authenticated attackers, with subscriber-lev...

Published
Apr 25, 2024
Patched Release
5.3.9
Affected Versions
Versions up to 5.3.8
Next Step
Update to 5.3.9 or newer if supported.
Open Full Report Open CVE Reference
Plugin High Patched: Yes CVE-2024-33557
XStore Core <= 5.3.8 - Authenticated (Subscriber+) Local File Inclusion

The XStore Core plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.3.8. This makes it possible for authenticated attackers, with subscriber-level access and above, to include and execute arbitrary files on the server, allowing the e...

Published
Apr 25, 2024
Patched Release
5.3.9
Affected Versions
Versions up to 5.3.8
Next Step
Update to 5.3.9 or newer if supported.
Open Full Report Open CVE Reference
Plugin Critical Patched: Yes CVE-2024-33552
XStore Core <= 5.3.8 - Unauthenticated Privilege Escalation

The XStore Core plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 5.3.8. This makes it possible for unauthenticated attackers to gain higher privileged access to a vulnerable site.

Published
Apr 25, 2024
Patched Release
5.3.9
Affected Versions
Versions up to 5.3.8
Next Step
Update to 5.3.9 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-33555
XStore Core <= 5.3.8 - Missing Authorization

The XStore Core plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in versions up to, and including, 5.3.8. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform unautho...

Published
Apr 25, 2024
Patched Release
5.3.9
Affected Versions
Versions up to 5.3.8
Next Step
Update to 5.3.9 or newer if supported.
Open Full Report Open CVE Reference
Plugin Critical Patched: Yes CVE-2024-33556
XStore Core <= 5.3.8 - Authenticated (Subscriber+) Limited Arbitrary File Upload

The XStore Core plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 5.3.8. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files on t...

Published
Apr 25, 2024
Patched Release
5.3.9
Affected Versions
Versions up to 5.3.8
Next Step
Update to 5.3.9 or newer if supported.
Open Full Report Open CVE Reference
Plugin Critical Patched: Yes CVE-2024-33551
XStore Core <= 5.3.8 - Unauthenticated SQL Injection

The XStore Core plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 5.3.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attacke...

Published
Apr 25, 2024
Patched Release
5.3.9
Affected Versions
Versions up to 5.3.8
Next Step
Update to 5.3.9 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-33554
XStore Core <= 5.3.8 - Reflected Cross-Site Scripting

The XStore Core plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 5.3.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages t...

Published
Apr 25, 2024
Patched Release
5.3.9
Affected Versions
Versions up to 5.3.8
Next Step
Update to 5.3.9 or newer if supported.
Open Full Report Open CVE Reference