Return to previous page

Site Vulnerabilities reported by Cpanel at inMotion Host

This topic has 2 replies, 2 voices, and was last updated 3 months, 3 weeks ago ago by Rose Tyler

Budeva

Participant

June 13, 2024 at 18:40

Hello Theme8 Team

This is not a request for support. Its an inquiry in regards to these existing security vulnerabilities the cPanel at inMotion is reporting as unresolved during its daily scan of the wordpress installation in regards to both the xstore theme and the xstore core.

Are your team aware of these vulnerabilities? if so, whats the expected updated time frame if your team is already addressing them?
I see mention of only one vulnerability on the changelog but its old, not related to these current ones https://xstore.8theme.com/update-history/

Thanks 🙂

The vulnerabilities list is attached below as of today’s scan (jun 13th 2024)

Risk Where How To Fix
High WordPress XStore Core plugin <= 5.3.8 - Unauthenticated Account Takeover vulnerability Unauthenticated Account Takeover vulnerability discovered by Rafie Muhammad (Patchstack) in WordPress Plugin XStore Core (versions <= 5.3.8) Date: 25.04.2024 | Source: Plugin Deactivate plugin High WordPress XStore Core plugin <= 5.3.8 - Unauthenticated PHP Object Injection vulnerability Unauthenticated PHP Object Injection vulnerability discovered by Rafie Muhammad (Patchstack) in WordPress Plugin XStore Core (versions <= 5.3.8) Date: 25.04.2024 | Source: Plugin Deactivate plugin High WordPress XStore Core plugin <= 5.3.8 - Unauthenticated SQL Injection vulnerability Unauthenticated SQL Injection vulnerability discovered by Rafie Muhammad (Patchstack) in WordPress Plugin XStore Core (versions <= 5.3.8) Date: 25.04.2024 | Source: Plugin Deactivate plugin High WordPress XStore theme <= 9.3.8 - Unauthenticated SQL Injection vulnerability Unauthenticated SQL Injection vulnerability discovered by Rafie Muhammad (Patchstack) in WordPress Theme XStore (versions <= 9.3.8) Date: 25.04.2024 | Source: Theme No updates available High WordPress XStore theme <= 9.3.8 - Unauthenticated Local File Inclusion vulnerability Unauthenticated Local File Inclusion vulnerability discovered by Rafie Muhammad (Patchstack) in WordPress Theme XStore (versions <= 9.3.8) Date: 25.04.2024 | Source: Theme No updates available High WordPress XStore theme <= 9.3.8 - Arbitrary Option Update vulnerability Arbitrary Option Update vulnerability discovered by Rafie Muhammad (Patchstack) in WordPress Theme X... Show more Date: 25.04.2024 | Source: Theme No updates available High WordPress XStore Core plugin <= 5.3.8 - Local File Inclusion vulnerability Local File Inclusion vulnerability discovered by Rafie Muhammad (Patchstack) in WordPress Plugin XSt... Show more Date: 25.04.2024 | Source: Plugin Deactivate plugin High WordPress XStore Core plugin <= 5.3.8 - Limited Arbitrary File Upload vulnerability Limited Arbitrary File Upload vulnerability discovered by Rafie Muhammad (Patchstack) in WordPress P... Show more Date: 25.04.2024 | Source: Plugin Deactivate plugin High WordPress XStore Core plugin <= 5.3.8 - Multiple Authenticated Broken Access Control vulnerability Multiple Authenticated Broken Access Control vulnerability discovered by Rafie Muhammad (Patchstack)... Show more Date: 25.04.2024 | Source: Plugin Deactivate plugin High WordPress XStore theme <= 9.3.8 - Broken Access Control vulnerability Broken Access Control vulnerability discovered by Rafie Muhammad (Patchstack) in WordPress Theme XSt... Show more Date: 25.04.2024 | Source: Theme No updates available High WordPress XStore theme <= 9.3.8 - Unauthenticated Broken Access Control vulnerability Unauthenticated Broken Access Control vulnerability discovered by Rafie Muhammad (Patchstack) in Wor... Show more Date: 25.04.2024 | Source: Theme No updates available High WordPress XStore Core plugin <= 5.3.8 - Limited Arbitrary File Download vulnerability Limited Arbitrary File Download vulnerability discovered by Rafie Muhammad (Patchstack) in WordPress... Show more Date: 25.04.2024 | Source: Plugin Deactivate plugin Medium WordPress XStore Core plugin <= 5.3.8 - Reflected Cross Site Scripting (XSS) vulnerability Reflected Cross Site Scripting (XSS) vulnerability discovered by Rafie Muhammad (Patchstack) in Word... Show more Date: 25.04.2024 | Source: Plugin Deactivate plugin Medium WordPress XStore theme <= 9.3.8 - Reflected Cross Site Scripting (XSS) vulnerability Reflected Cross Site Scripting (XSS) vulnerability discovered by Rafie Muhammad (Patchstack) in Word... Show more Theme No updates available

#399678 Copied Theme version: 9.3.12

1 Answer

Rose Tyler

Support staff

June 14, 2024 at 08:38

Hello, Budeva,

Thank you for reaching out to us.

Was solved.
1/ https://www.8theme.com/topic/security-problem-xstore-core-plugin/
2/ https://www.8theme.com/topic/the-site-loading-speed-for-nike-market-02-theme-is-very-slow/#post-397180
3/ https://www.8theme.com/topic/xstore-patcher-error-cpanel-vulnerabilities-found/
4/ https://www.8theme.com/topic/urgent-vulnerability-in-xstore-is-it-solved/#post-394132

Best Regards,
8Theme’s Team

#399740 Copied
Tagged: cpanel security features, cpanel site vulnerabilities, inmotion host reports, online store protection, secure ecommerce templates, website security solutions, wordpress woocommerce templates
Viewing 2 results - 1 through 2 (of 2 total)