CVE-2026-3326: XStore < 9.7.3 - Unauthenticated SQLi
The Xstore WordPress theme before 9.7.3 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection
Metrics
- CVSS v3.1
- 8.6
- Severity
- HIGH
- Fixed in
- 9.7.3
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An unauthenticated SQL injection vulnerability affects the XStore WordPress theme before version 9.7.3. The flaw is reachable over the network with no credentials required: a parameter passed through an AJAX action is used in a SQL query without sanitization or escaping. Successful exploitation lets an attacker read arbitrary data from the WordPress database. A patched-image rebuild at version 9.7.3 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection is available across every HarborGuard environment - the CVE is matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that bundle the XStore theme. Any image carrying a version of XStore below 9.7.3 is flagged automatically.
AvailableHarborGuard scores this issue at CVSS 8.6 HIGH and is capable of weighting that score against each environment's compliance policy to prioritize alert routing. Triage tickets are routed to the appropriate team inbox within each customer organization based on policy configuration.
AvailableA patched-image rebuild at XStore 9.7.3 is available on HarborGuard for any environment found to be running an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The vulnerable AJAX endpoint is exposed over the network, so an attacker must be able to reach the WordPress instance via HTTP/HTTPS.
- AuthenticationNot required
The AJAX action is available to unauthenticated users, so no account or session token is needed to send the malicious request.
- Victim interactionNot required
The attacker sends the crafted request directly to the server; no user action or social engineering is required.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions such as race timing or specific memory layout.
Blast Radius
- Reads arbitrary rows from the WordPress database, including wp_users entries containing hashed passwords and email addresses.
- Reads stored session tokens, authentication keys, and secret salts from wp_options, enabling further account takeover.
- Reads any custom post type or metadata stored by WooCommerce or other plugins, including order details and customer PII.
- The scope is changed (S:C in the CVSS vector), meaning the impact extends beyond the vulnerable component to other resources sharing the database.
How HarborGuard Handles This
Available on HarborGuard: detection for this CVE is active across all customer scanning pipelines and will flag any image bundling XStore below 9.7.3 within minutes of the image appearing in a registry or CI pipeline. The issue is scored CVSS 8.6 HIGH with a changed scope, meaning database access from this exploit is not bounded to the theme itself. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image at XStore 9.7.3, runs a regression suite, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Customers who manage patching manually can find the fixed version pinned in the HarborGuard remediation panel alongside the affected image list.
Fix available
- Unknown / Xstore< 9.7.3 (from 0)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N