CVE-2026-3326 | THREATINT

Description

The Xstore WordPress theme before 9.7.3 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection

PUBLISHED Reserved 2026-02-27 | Published 2026-06-10 | Updated 2026-06-10 | Assigner WPScan

Problem types

CWE-89 SQL Injection

Product status

Default status

unaffected

Any version before 9.7.3

affected

Credits

Ahmed Makawi finder

WPScan coordinator

References

wpscan.com/...rability/2c5bdb17-8b12-45b5-878b-627056dc8956/ exploit vdb-entry technical-description

cve.org (CVE-2026-3326)

nvd.nist.gov (CVE-2026-3326)

Download JSON