VulnTitan VulnTitan Security command center
Theme Vulnerability Hub
Theme 11 known issues Latest disclosed Oct 14, 2025

XStore Vulnerabilities

Review known vulnerability records for the WordPress theme XStore (`xstore`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2025-11746, CVE-2025-60100 and CVE-2025-64193, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
11
High or Critical
5
Patch Coverage
100%
Last Updated
Mar 17, 2026
Priority CVE Quick Links

Fast paths into XStore CVE reports

Start with the highest-signal CVE records for this WordPress theme before scanning the full vulnerability feed.

Indexed CVEs
11
CVE-2024-33559 Critical 9.3.9
CVE-2024-33559 XStore SQL Injection

XStore <= 9.3.8 - Unauthenticated SQL Injection

CVE-2024-33560 Critical 9.3.9
CVE-2024-33560 XStore Local File Inclusion

XStore <= 9.3.8 - Unauthenticated Local File Inclusion

CVE-2025-11746 High 9.6
CVE-2025-11746 XStore Local File Inclusion

XStore | Multipurpose WooCommerce Theme <= 9.5.4 - Authenticated (Subscriber+) Local File Inclusion

CVE-2024-33564 High 9.3.9
CVE-2024-33564 XStore Privilege Escalation

XStore <= 9.3.8 - Authenticated (Subscriber+) Arbitrary Options Update

CVE-2025-64193 High 9.6.1
CVE-2025-64193 XStore Local File Inclusion

XStore < 9.6.1 - Authenticated (Subscriber+) Local File Inclusion

CVE-2025-60100 Medium 9.6
CVE-2025-60100 XStore Vulnerability

XStore < 9.6 - Unauthenticated Arbitrary Shortcode Execution

CVE-2025-64191 Medium 9.6.1
CVE-2025-64191 XStore Cross-Site Scripting

XStore < 9.6.1 - Reflected Cross-Site Scripting

CVE-2024-33562 Medium 9.3.9
CVE-2024-33562 XStore Cross-Site Scripting

XStore <= 9.3.8 - Reflected Cross-Site Scripting

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for XStore so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
11 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
2 critical and 3 high severity findings.
Recent CVEs
CVE-2025-11746, CVE-2025-60100 and CVE-2025-64193
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

Known Vulnerabilities

Reports for XStore

Sorted by latest disclosure date so newly published issues surface first.

Theme High Patched: Yes CVE-2025-11746
CVE-2025-11746: XStore | Multipurpose WooCommerce Theme <= 9.5.4 - Authenticated (Subscriber+) Local File Inclusion

The XStore theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 9.5.4 via theet_ajax_required_plugins_popup() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute ar...

Published
Oct 14, 2025
Patched Release
9.6
Affected Versions
Versions up to 9.5.4
Next Step
Update to 9.6 or newer if supported.
Open CVE-2025-11746 Report Open CVE Reference
Theme Medium Patched: Yes CVE-2025-60100
CVE-2025-60100: XStore < 9.6 - Unauthenticated Arbitrary Shortcode Execution

The The XStore theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and excluding, 9.6. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible...

Published
Sep 26, 2025
Patched Release
9.6
Affected Versions
Versions before 9.6
Next Step
Update to 9.6 or newer if supported.
Open CVE-2025-60100 Report Open CVE Reference
Theme High Patched: Yes CVE-2025-64193
CVE-2025-64193: XStore < 9.6.1 - Authenticated (Subscriber+) Local File Inclusion

The XStore theme for WordPress is vulnerable to Local File Inclusion in versions up to 9.6.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code i...

Published
Sep 10, 2025
Patched Release
9.6.1
Affected Versions
Versions before 9.6.1
Next Step
Update to 9.6.1 or newer if supported.
Open CVE-2025-64193 Report Open CVE Reference
Theme Medium Patched: Yes CVE-2025-64192
CVE-2025-64192: XStore < 9.6 - Missing Authorization

The XStore theme for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to 9.6 (exclusive). This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action...

Published
Sep 10, 2025
Patched Release
9.6
Affected Versions
Versions before 9.6
Next Step
Update to 9.6 or newer if supported.
Open CVE-2025-64192 Report Open CVE Reference
Theme Medium Patched: Yes CVE-2025-64191
CVE-2025-64191: XStore < 9.6.1 - Reflected Cross-Site Scripting

The XStore theme for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to 9.6.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they ca...

Published
Sep 10, 2025
Patched Release
9.6.1
Affected Versions
Versions before 9.6.1
Next Step
Update to 9.6.1 or newer if supported.
Open CVE-2025-64191 Report Open CVE Reference
Theme Medium Patched: Yes CVE-2024-33562
CVE-2024-33562: XStore <= 9.3.8 - Reflected Cross-Site Scripting

The XStore theme for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 9.3.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that ex...

Published
Apr 25, 2024
Patched Release
9.3.9
Affected Versions
Versions up to 9.3.8
Next Step
Update to 9.3.9 or newer if supported.
Open CVE-2024-33562 Report Open CVE Reference
Theme Critical Patched: Yes CVE-2024-33560
CVE-2024-33560: XStore <= 9.3.8 - Unauthenticated Local File Inclusion

The XStore theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 9.3.8. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This...

Published
Apr 25, 2024
Patched Release
9.3.9
Affected Versions
Versions up to 9.3.8
Next Step
Update to 9.3.9 or newer if supported.
Open CVE-2024-33560 Report Open CVE Reference
Theme Critical Patched: Yes CVE-2024-33559
CVE-2024-33559: XStore <= 9.3.8 - Unauthenticated SQL Injection

The XStore theme for WordPress is vulnerable to SQL Injection in versions up to, and including, 9.3.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to...

Published
Apr 25, 2024
Patched Release
9.3.9
Affected Versions
Versions up to 9.3.8
Next Step
Update to 9.3.9 or newer if supported.
Open CVE-2024-33559 Report Open CVE Reference
Theme Medium Patched: Yes CVE-2024-33563
CVE-2024-33563: XStore <= 9.3.8 - Missing Authorization

The XStore theme for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 9.3.8. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform unauthorized actions...

Published
Apr 25, 2024
Patched Release
9.3.9
Affected Versions
Versions up to 9.3.8
Next Step
Update to 9.3.9 or newer if supported.
Open CVE-2024-33563 Report Open CVE Reference
Theme High Patched: Yes CVE-2024-33564
CVE-2024-33564: XStore <= 9.3.8 - Authenticated (Subscriber+) Arbitrary Options Update

The XStore theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on a function in all versions up to, and including, 9.3.8. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arb...

Published
Apr 25, 2024
Patched Release
9.3.9
Affected Versions
Versions up to 9.3.8
Next Step
Update to 9.3.9 or newer if supported.
Open CVE-2024-33564 Report Open CVE Reference
Theme Medium Patched: Yes CVE-2024-33561
CVE-2024-33561: XStore <= 9.3.8 - Missing Authorization

The XStore theme for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 9.3.8. This makes it possible for unauthenticated attackers to perform an unauthorized action.

Published
Apr 25, 2024
Patched Release
9.3.9
Affected Versions
Versions up to 9.3.8
Next Step
Update to 9.3.9 or newer if supported.
Open CVE-2024-33561 Report Open CVE Reference