Critical Security Flaws Uncovered in Popular WordPress eCommerce Theme XStore

A series of critical vulnerabilities have been discovered in the XStore theme and its accompanying XStore Core plugin, both widely used tools for building online stores on the WordPress platform. These vulnerabilities, if exploited, could lead to a range of malicious activities, including website takeover, data breaches, and the injection of malicious code.

The XStore theme, developed by 8theme and widely used for building sophisticated online stores with WordPress and WooCommerce, has over 44,000 sales and offers over 130+ pre-made demos for customization.

The XStore theme itself suffers from three critical vulnerabilities:

1. Unauthenticated Local File Inclusion (CVE-2024-33560): This vulnerability allows unauthenticated users to include arbitrary PHP files available on the server. In the worst-case scenario, this could lead to code execution if the user can fully or partially control some content on the PHP files on the server.
2. Unauthenticated SQL Injection (CVE-2024-33559): This vulnerability enables unauthenticated users to inject malicious SQL queries into a WordPress database query execution, potentially compromising the database’s integrity and security.
3. Authenticated Arbitrary Option Update (CVE-2024-33564): This vulnerability permits authenticated users to update arbitrary WordPress options, which could lead to privilege escalation and unauthorized access to sensitive site functionalities.

The required XStore Core plugin also presents significant security risks:

1. Unauthenticated SQL Injection (CVE-2024-33551): Similar to the theme vulnerability, this allows unauthenticated users to inject malicious SQL queries into the database, jeopardizing the site’s data.
2. Unauthenticated PHP Object Injection (CVE-2024-33552): This vulnerability enables unauthenticated users to pass serialized strings to a vulnerable unserialize call, resulting in arbitrary PHP object injection. In the worst-case scenario, this could lead to remote code execution.
3. Unauthenticated Account Takeover (CVE-2024-33553): This critical flaw allows unauthenticated users to reset any user’s password and take over their account, posing a severe threat to user privacy and site security.

All the described vulnerabilities have been addressed and fixed in the latest versions of the theme and plugin. Specifically, XStore theme version 9.3.9 and XStore Core plugin version 5.3.9 include the necessary patches. Users are strongly advised to update to these versions immediately to protect their websites from potential exploits.