CVE-2025-11746

Name of the Vulnerable Software and Affected Versions XStore versions prior to 9.5.5

Description The XStore theme for WordPress is susceptible to Local File Inclusion. Attackers with Subscriber-level access or higher can include and execute arbitrary .php files on the server through the et ajax required plugins popup() function. This can lead to bypassing access controls, obtaining sensitive data, or achieving code execution if .php file uploads are permitted.

Recommendations Update XStore to version 9.5.5 or later. As a temporary workaround, consider restricting access for users with Subscriber-level access or lower.