CVE-2025-64189
📋 TL;DR
This is a reflected cross-site scripting (XSS) vulnerability in the XStore Core WordPress plugin. Attackers can inject malicious scripts via crafted URLs that execute in victims' browsers when they visit compromised pages. WordPress sites using vulnerable versions of the XStore Core plugin are affected.
💻 Affected Systems
- 8theme XStore Core et-core-plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator session cookies, take over WordPress admin accounts, install backdoors, deface websites, or redirect visitors to malicious sites.
Likely Case
Attackers steal user session cookies, perform phishing attacks, or redirect users to malicious content via crafted links.
If Mitigated
Limited impact with proper input validation, output encoding, and Content Security Policy (CSP) headers in place.
🎯 Exploit Status
Reflected XSS vulnerabilities are commonly exploited via phishing or malicious links. No authentication required for exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.6
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'XStore Core' plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download version 5.6+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Implement Content Security Policy
allAdd CSP headers to restrict script execution sources and mitigate XSS impact.
Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Add to nginx config: add_header Content-Security-Policy "default-src 'self'; script-src 'self'";
Disable Plugin
linuxTemporarily disable the vulnerable plugin until patched.
wp plugin deactivate et-core-plugin
🧯 If You Can't Patch
- Implement Web Application Firewall (WAF) rules to block XSS payloads in URLs.
- Restrict plugin access to trusted users only and monitor for suspicious URL parameters.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin > Plugins > Installed Plugins for XStore Core version. If version is below 5.6, system is vulnerable.Check Version:
wp plugin get et-core-plugin --field=versionVerify Fix Applied:
Confirm XStore Core plugin version is 5.6 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual long URL parameters in web server logs
- Requests containing script tags or JavaScript in query strings
- Multiple failed XSS attempts from same IP
Network Indicators:
- HTTP requests with suspicious parameters like <script>, javascript:, or encoded payloads
- Unexpected redirects to external domains
SIEM Query:
source="web_logs" AND (url="*<script>*" OR url="*javascript:*" OR url="*%3Cscript%3E*")