VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 12 known issues Latest disclosed Mar 17, 2026

XStore Core Vulnerabilities

Review known vulnerability records for the WordPress plugin XStore Core (`et-core-plugin`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-25306, CVE-2026-25307 and CVE-2025-64190, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
12
High or Critical
5
Patch Coverage
100%
Last Updated
May 04, 2026
Related Security Guides

Use these guides while reviewing XStore Core fixes

Pair this plugin vulnerability hub with practical WordPress hardening, scanner, and patch workflow guidance.

Hardening
WordPress hardening checklist for exposed plugins

Review patch cadence, privileged access, XML-RPC exposure, backups, and monitoring controls.
Plugin Security
WordPress plugin security basics for patch decisions

Use ownership, update testing, least privilege, and removal criteria to reduce plugin risk.
Scanning
WordPress vulnerability scanner buyer's guide

Compare scanner coverage for plugin CVEs, version detection, alert noise, and remediation workflow.
Patch Decision Workflow

How to prioritize XStore Core remediation

Use the hub as a decision layer before opening individual records: confirm whether the issue has a CVE, whether a fixed version exists, and whether the affected range overlaps production installs.

Search-Ready Records
12
1. Match the Package
Confirm the installed WordPress plugin slug is et-core-plugin before acting on any CVE from this cluster.
2. Sort by Severity
Start with 5 high or critical records, then review medium and unrated findings with public references.
3. Check Patch Evidence
12 records include a patch path; verify compatibility before closing the finding.
4. Monitor Gaps
0 records still lack a listed fixed release, so keep this hub in the review queue.
High-Signal Remediation Targets
CVE-2024-33551 Critical
SQL Injection remediation for XStore Core

Affected range: Versions up to 5.3.8. Fixed version: 5.3.9.

CVE-2024-33556 Critical
Remote Code Execution remediation for XStore Core

Affected range: Versions up to 5.3.8. Fixed version: 5.3.9.

CVE-2024-33553 Critical
Vulnerability remediation for XStore Core

Affected range: Versions up to 5.3.8. Fixed version: 5.3.9.

CVE-2024-33552 Critical
Privilege Escalation remediation for XStore Core

Affected range: Versions up to 5.3.8. Fixed version: 5.3.9.

Priority CVE Quick Links

Fast paths into XStore Core CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs
12
Tracked CVE Issue Type Affected Versions Fixed Version CVSS
CVE-2024-33551
XStore Core <= 5.3.8 - Unauthenticated SQL Injection
 SQL Injection Versions up to 5.3.8 5.3.9 CVSS 10.0
CVE-2024-33556
XStore Core <= 5.3.8 - Authenticated (Subscriber+) Limited Arbitrary File Upload
 Remote Code Execution Versions up to 5.3.8 5.3.9 CVSS 9.9
CVE-2024-33553
XStore Core <= 5.3.8 - Unauthenticated PHP Object Injection
 Vulnerability Versions up to 5.3.8 5.3.9 CVSS 9.8
CVE-2024-33552
XStore Core <= 5.3.8 - Unauthenticated Privilege Escalation
 Privilege Escalation Versions up to 5.3.8 5.3.9 CVSS 9.8
CVE-2024-33557
XStore Core <= 5.3.8 - Authenticated (Subscriber+) Local File Inclusion
 Local File Inclusion Versions up to 5.3.8 5.3.9 CVSS 8.8
CVE-2024-33558
XStore Core <= 5.3.8 - Authenticated (Subscriber+) Limited Arbitrary File Download
 Vulnerability Versions up to 5.3.8 5.3.9 CVSS 6.5
CVE-2026-25307
XStore Core < 5.7 - Authenticated (Contributor+) Stored Cross-Site Scripting
 Stored Cross-Site Scripting Versions before 5.7 5.7 CVSS 6.4
CVE-2025-64190
XStore Core < 5.6 - Authenticated (Contributor+) Stored Cross-Site Scripting
 Stored Cross-Site Scripting Versions before 5.6 5.6 CVSS 6.4
CVE-2024-33551 Critical 5.3.9
CVE-2024-33551 XStore Core SQL Injection

XStore Core <= 5.3.8 - Unauthenticated SQL Injection

CVE-2024-33556 Critical 5.3.9
CVE-2024-33556 XStore Core Remote Code Execution

XStore Core <= 5.3.8 - Authenticated (Subscriber+) Limited Arbitrary File Upload

CVE-2024-33553 Critical 5.3.9
CVE-2024-33553 XStore Core Vulnerability

XStore Core <= 5.3.8 - Unauthenticated PHP Object Injection

CVE-2024-33552 Critical 5.3.9
CVE-2024-33552 XStore Core Privilege Escalation

XStore Core <= 5.3.8 - Unauthenticated Privilege Escalation

CVE-2024-33557 High 5.3.9
CVE-2024-33557 XStore Core Local File Inclusion

XStore Core <= 5.3.8 - Authenticated (Subscriber+) Local File Inclusion

CVE-2024-33558 Medium 5.3.9
CVE-2024-33558 XStore Core Vulnerability

XStore Core <= 5.3.8 - Authenticated (Subscriber+) Limited Arbitrary File Download

CVE-2026-25307 Medium 5.7
CVE-2026-25307 XStore Core Stored Cross-Site Scripting

XStore Core < 5.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

CVE-2025-64190 Medium 5.6
CVE-2025-64190 XStore Core Stored Cross-Site Scripting

XStore Core < 5.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

Coverage Snapshot

What this page helps you verify fast

This hub clusters tracked records for XStore Core so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
12 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
4 critical and 1 high severity finding.
Recent CVEs
CVE-2026-25306, CVE-2026-25307 and CVE-2025-64190
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

Known Vulnerabilities

Reports for XStore Core

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2026-25306
CVE-2026-25306: XStore Core <= 5.6.4 - Reflected Cross-Site Scripting

The XStore Core plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 5.6.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages t...

Published
Mar 17, 2026
Patched Release
5.6.5
Affected Versions
Versions up to 5.6.4
Next Step
Update to 5.6.5 or newer if supported.
Review CVE-2026-25306 fixed version details Open CVE Reference
Plugin Medium Patched: Yes CVE-2026-25307
CVE-2026-25307: XStore Core < 5.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

The XStore Core plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to 5.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web...

Published
Jan 19, 2026
Patched Release
5.7
Affected Versions
Versions before 5.7
Next Step
Update to 5.7 or newer if supported.
Review CVE-2026-25307 fixed version details Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-64190
CVE-2025-64190: XStore Core < 5.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

The XStore Core plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to 5.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web...

Published
Dec 30, 2025
Patched Release
5.6
Affected Versions
Versions before 5.6
Next Step
Update to 5.6 or newer if supported.
Review CVE-2025-64190 fixed version details Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-64189
CVE-2025-64189: XStore Core < 5.6 - Reflected Cross-Site Scripting

The XStore Core plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to 5.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if the...

Published
Oct 17, 2025
Patched Release
5.6
Affected Versions
Versions before 5.6
Next Step
Update to 5.6 or newer if supported.
Review CVE-2025-64189 fixed version details Open CVE Reference
Plugin Critical Patched: Yes CVE-2024-33553
CVE-2024-33553: XStore Core <= 5.3.8 - Unauthenticated PHP Object Injection

The XStore Core plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.3.8 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable pl...

Published
Apr 25, 2024
Patched Release
5.3.9
Affected Versions
Versions up to 5.3.8
Next Step
Update to 5.3.9 or newer if supported.
Review CVE-2024-33553 fixed version details Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-33558
CVE-2024-33558: XStore Core <= 5.3.8 - Authenticated (Subscriber+) Limited Arbitrary File Download

The et-core-plugin plugin for WordPress is vulnerable to arbitrary file downloads in all versions up to, and including, 5.3.8. This is due to the plugin not properly restricting which files can be downloaded. This makes it possible for authenticated attackers, with subscriber-lev...

Published
Apr 25, 2024
Patched Release
5.3.9
Affected Versions
Versions up to 5.3.8
Next Step
Update to 5.3.9 or newer if supported.
Review CVE-2024-33558 fixed version details Open CVE Reference
Plugin High Patched: Yes CVE-2024-33557
CVE-2024-33557: XStore Core <= 5.3.8 - Authenticated (Subscriber+) Local File Inclusion

The XStore Core plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.3.8. This makes it possible for authenticated attackers, with subscriber-level access and above, to include and execute arbitrary files on the server, allowing the e...

Published
Apr 25, 2024
Patched Release
5.3.9
Affected Versions
Versions up to 5.3.8
Next Step
Update to 5.3.9 or newer if supported.
Review CVE-2024-33557 fixed version details Open CVE Reference
Plugin Critical Patched: Yes CVE-2024-33552
CVE-2024-33552: XStore Core <= 5.3.8 - Unauthenticated Privilege Escalation

The XStore Core plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 5.3.8. This makes it possible for unauthenticated attackers to gain higher privileged access to a vulnerable site.

Published
Apr 25, 2024
Patched Release
5.3.9
Affected Versions
Versions up to 5.3.8
Next Step
Update to 5.3.9 or newer if supported.
Review CVE-2024-33552 fixed version details Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-33555
CVE-2024-33555: XStore Core <= 5.3.8 - Missing Authorization

The XStore Core plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in versions up to, and including, 5.3.8. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform unautho...

Published
Apr 25, 2024
Patched Release
5.3.9
Affected Versions
Versions up to 5.3.8
Next Step
Update to 5.3.9 or newer if supported.
Review CVE-2024-33555 fixed version details Open CVE Reference
Plugin Critical Patched: Yes CVE-2024-33556
CVE-2024-33556: XStore Core <= 5.3.8 - Authenticated (Subscriber+) Limited Arbitrary File Upload

The XStore Core plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 5.3.8. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files on t...

Published
Apr 25, 2024
Patched Release
5.3.9
Affected Versions
Versions up to 5.3.8
Next Step
Update to 5.3.9 or newer if supported.
Review CVE-2024-33556 fixed version details Open CVE Reference
Plugin Critical Patched: Yes CVE-2024-33551
CVE-2024-33551: XStore Core <= 5.3.8 - Unauthenticated SQL Injection

The XStore Core plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 5.3.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attacke...

Published
Apr 25, 2024
Patched Release
5.3.9
Affected Versions
Versions up to 5.3.8
Next Step
Update to 5.3.9 or newer if supported.
Review CVE-2024-33551 fixed version details Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-33554
CVE-2024-33554: XStore Core <= 5.3.8 - Reflected Cross-Site Scripting

The XStore Core plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 5.3.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages t...

Published
Apr 25, 2024
Patched Release
5.3.9
Affected Versions
Versions up to 5.3.8
Next Step
Update to 5.3.9 or newer if supported.
Review CVE-2024-33554 fixed version details Open CVE Reference