CVE Alert: CVE-2025-11746 – 8theme – XStore
CVE-2025-11746
The XStore theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 9.5.4 via theet_ajax_required_plugins_popup() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
AI Summary Analysis
**Risk verdict** High risk from authenticated Local File Inclusion leading to code execution; no active exploitation reported, but patch promptly.
**Why this matters** For WordPress sites using XStore, a Subscriber+ user could trigger arbitrary PHP execution on the server, potentially exposing sensitive data or taking full control of the site. The combination of high impact and accessible preconditions means even scoped breaches can cascade to site defacement, data exfiltration, or credential harvesting within the WordPress ecosystem.
**Most likely attack path** An attacker with a Subscriber+ account accesses the vulnerable AJAX function and causes local file inclusion to load and execute a PHP file of the attacker’s choosing. With no UI interaction required, the attacker can operate over standard web requests, and successful code execution yields total impact on the host. Given the Privileges-Required Low setting, exploitation is plausible by a small set of authenticated users, with potential lateral/data-impact limited primarily to the compromised host.
**Who is most exposed** Sites running XStore up to version 9.5.4 on WordPress, especially in shared or managed hosting, where Subscriber-level accounts exist or can be created by site admins.
Detection ideas
- Unusual or unexpected PHP file executions tied to the et_ajax_required_plugins_popup endpoint.
- Web server logs showing requests to the vulnerable AJAX path with anomalous query patterns.
- Outbound data exfiltration or new admin activity following login from a non-admin account.
- WAF or RASP alerts for local file inclusion patterns.
- Unexpected filesystem changes or newly created PHP files in the webroot.
Mitigation and prioritisation
- Apply the vendor patch to the latest XStore version (upgrading beyond 9.5.4).
- Restrict or disable Subscriber+ accounts where feasible; enforce least privilege.
- Implement a web application firewall rule targeting LFI patterns and the affected AJAX endpoint.
- Monitor and alert on any PHP file inclusions or new PHP files in the webroot; tighten file upload controls if applicable.
- Schedule patching in a controlled window (test in staging first); document change-control notes.
Support Our Work
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.
