PatchSiren cyber security CVE debrief
CVE-2026-3326 Xstore CVE debrief
A SQL injection vulnerability was discovered in the Xstore WordPress theme prior to version 9.7.3. The vulnerability occurs due to improper sanitization and escaping of a parameter used in a SQL statement via an AJAX action accessible to unauthenticated users.
- Vendor
- Xstore
- Product
- WordPress theme
- CVSS
- HIGH 8.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Users of the Xstore WordPress theme, particularly those with versions prior to 9.7.3, should be aware of this vulnerability and take necessary actions to mitigate the risk.
Technical summary
The Xstore WordPress theme before 9.7.3 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection vulnerability.
Defensive priority
HIGH
Recommended defensive actions
- Update the Xstore WordPress theme to version 9.7.3 or later.
- Implement additional security measures to restrict access to sensitive data and functionality.
Evidence notes
The CVE-2026-3326 record was obtained from the official CVE.org database and the NVD detail page.
Official resources
-
CVE-2026-3326 CVE record
CVE.org
-
CVE-2026-3326 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-3326 was published on 2026-06-10T07:16:25.263Z and modified on 2026-06-10T19:41:25.327Z.