The Xstore WordPress theme contains a critical SQL injection vulnerability allowing unauthenticated attackers to compromise database integrity.

This is an unauthenticated SQL injection vulnerability where a parameter is not properly sanitized or escaped before being included in a SQL statement via an AJAX action. This allows an unauthenticated attacker to manipulate backend database queries.

With a CVSS score of 8.6, this vulnerability poses a high risk to organizational data confidentiality and integrity. Successful exploitation could lead to unauthorized access to the database, potentially resulting in the exfiltration of sensitive user information, administrative credentials, or full site compromise.

Immediate Action: Update the Xstore WordPress theme to version 9.7.3 or later immediately to incorporate the required input sanitization fixes.

Proactive Monitoring: Review web server and database logs for anomalous SQL query structures or unexpected patterns originating from AJAX endpoints.

Compensating Controls: Deploy a Web Application Firewall (WAF) with updated rulesets designed to detect and block common SQL injection attack patterns.

Public Exploit Available: false

Given the severity of SQL injection vulnerabilities, immediate patching is required to prevent potential data breaches. Administrators should verify their theme version and apply the 9.7.3 update as a priority to mitigate this significant security exposure.