This topic has 2 replies, 2 voices, and was last updated 6 months, 1 weeks ago ago by Rose Tyler
Hello Theme8 Team
This is not a request for support. Its an inquiry in regards to these existing security vulnerabilities the cPanel at inMotion is reporting as unresolved during its daily scan of the wordpress installation in regards to both the xstore theme and the xstore core.
Are your team aware of these vulnerabilities? if so, whats the expected updated time frame if your team is already addressing them?
I see mention of only one vulnerability on the changelog but its old, not related to these current ones https://xstore.8theme.com/update-history/
Thanks 🙂
The vulnerabilities list is attached below as of today’s scan (jun 13th 2024)
Risk Where How To Fix
High WordPress XStore Core plugin <= 5.3.8 - Unauthenticated Account Takeover vulnerability
Unauthenticated Account Takeover vulnerability discovered by Rafie Muhammad (Patchstack) in WordPress Plugin XStore Core (versions <= 5.3.8)
Date: 25.04.2024 | Source: Plugin Deactivate plugin
High WordPress XStore Core plugin <= 5.3.8 - Unauthenticated PHP Object Injection vulnerability
Unauthenticated PHP Object Injection vulnerability discovered by Rafie Muhammad (Patchstack) in WordPress Plugin XStore Core (versions <= 5.3.8)
Date: 25.04.2024 | Source: Plugin Deactivate plugin
High WordPress XStore Core plugin <= 5.3.8 - Unauthenticated SQL Injection vulnerability
Unauthenticated SQL Injection vulnerability discovered by Rafie Muhammad (Patchstack) in WordPress Plugin XStore Core (versions <= 5.3.8)
Date: 25.04.2024 | Source: Plugin Deactivate plugin
High WordPress XStore theme <= 9.3.8 - Unauthenticated SQL Injection vulnerability
Unauthenticated SQL Injection vulnerability discovered by Rafie Muhammad (Patchstack) in WordPress Theme XStore (versions <= 9.3.8)
Date: 25.04.2024 | Source: Theme No updates available
High WordPress XStore theme <= 9.3.8 - Unauthenticated Local File Inclusion vulnerability
Unauthenticated Local File Inclusion vulnerability discovered by Rafie Muhammad (Patchstack) in WordPress Theme XStore (versions <= 9.3.8)
Date: 25.04.2024 | Source: Theme No updates available
High WordPress XStore theme <= 9.3.8 - Arbitrary Option Update vulnerability
Arbitrary Option Update vulnerability discovered by Rafie Muhammad (Patchstack) in WordPress Theme X... Show more
Date: 25.04.2024 | Source: Theme No updates available
High WordPress XStore Core plugin <= 5.3.8 - Local File Inclusion vulnerability
Local File Inclusion vulnerability discovered by Rafie Muhammad (Patchstack) in WordPress Plugin XSt... Show more
Date: 25.04.2024 | Source: Plugin Deactivate plugin
High WordPress XStore Core plugin <= 5.3.8 - Limited Arbitrary File Upload vulnerability
Limited Arbitrary File Upload vulnerability discovered by Rafie Muhammad (Patchstack) in WordPress P... Show more
Date: 25.04.2024 | Source: Plugin Deactivate plugin
High WordPress XStore Core plugin <= 5.3.8 - Multiple Authenticated Broken Access Control vulnerability
Multiple Authenticated Broken Access Control vulnerability discovered by Rafie Muhammad (Patchstack)... Show more
Date: 25.04.2024 | Source: Plugin Deactivate plugin
High WordPress XStore theme <= 9.3.8 - Broken Access Control vulnerability
Broken Access Control vulnerability discovered by Rafie Muhammad (Patchstack) in WordPress Theme XSt... Show more
Date: 25.04.2024 | Source: Theme No updates available
High WordPress XStore theme <= 9.3.8 - Unauthenticated Broken Access Control vulnerability
Unauthenticated Broken Access Control vulnerability discovered by Rafie Muhammad (Patchstack) in Wor... Show more
Date: 25.04.2024 | Source: Theme No updates available
High WordPress XStore Core plugin <= 5.3.8 - Limited Arbitrary File Download vulnerability
Limited Arbitrary File Download vulnerability discovered by Rafie Muhammad (Patchstack) in WordPress... Show more
Date: 25.04.2024 | Source: Plugin Deactivate plugin
Medium WordPress XStore Core plugin <= 5.3.8 - Reflected Cross Site Scripting (XSS) vulnerability
Reflected Cross Site Scripting (XSS) vulnerability discovered by Rafie Muhammad (Patchstack) in Word... Show more
Date: 25.04.2024 | Source: Plugin Deactivate plugin
Medium WordPress XStore theme <= 9.3.8 - Reflected Cross Site Scripting (XSS) vulnerability
Reflected Cross Site Scripting (XSS) vulnerability discovered by Rafie Muhammad (Patchstack) in Word... Show more
Theme No updates available
Hello, Budeva,
Thank you for reaching out to us.
Was solved.
1/ https://www.8theme.com/topic/security-problem-xstore-core-plugin/
2/ https://www.8theme.com/topic/the-site-loading-speed-for-nike-market-02-theme-is-very-slow/#post-397180
3/ https://www.8theme.com/topic/xstore-patcher-error-cpanel-vulnerabilities-found/
4/ https://www.8theme.com/topic/urgent-vulnerability-in-xstore-is-it-solved/#post-394132
Best Regards,
8Theme’s Team
You must be logged in to reply to this topic.Log in/Sign up