Local File Inclusion Vulnerability in XStore Theme by 8Theme
CVE-2025-11746

8.8HIGH

Key Information:

Vendor: WordPress
Status: Xstore
Vendor: CVE Published:; 15 October 2025

What is CVE-2025-11746?

The XStore theme for WordPress has a vulnerability that allows authenticated attackers with Subscriber access or higher to exploit the 'theet_ajax_required_plugins_popup()' function. This flaw facilitates the inclusion and execution of arbitrary PHP files on the server, which could potentially lead to unauthorized access to sensitive data, circumvention of access controls, or arbitrary code execution if malicious PHP files are uploaded.

Affected Version(s)

XStore * <= 9.5.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://xstore.8theme.com/update-history/

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 15, 2025
Vulnerability Reserved
Oct 14, 2025

Credit

Tran Nguyen Bao Khanh (from VCI - VNPT Cyber Immunity)

JSON