CVE-2025-60100 is a medium-severity vulnerability classified under CWE-80, which refers to improper neutralization of script-related HTML tags in a web page, commonly known as a basic Cross-Site Scripting (XSS) vulnerability. This vulnerability affects the 8theme XStore product, specifically versions up to 9.5.3. The issue arises because the application fails to properly sanitize or encode user-supplied input before rendering it in the web page, allowing an attacker to inject malicious scripts. These scripts can execute in the context of the victim's browser, potentially leading to unauthorized actions such as session hijacking, cookie theft, or redirection to malicious sites. The CVSS v3.1 score for this vulnerability is 5.3, indicating a medium severity level. The vector string (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) shows that the attack can be performed remotely over the network without any privileges or user interaction, but the impact is limited to confidentiality (partial data disclosure), with no direct impact on integrity or availability. No known exploits are currently reported in the wild, and no patches or fixes have been linked yet. The vulnerability is publicly disclosed as of September 26, 2025.

For European organizations using the 8theme XStore product, this vulnerability poses a risk primarily to the confidentiality of user data. Attackers could exploit the XSS flaw to steal session cookies or other sensitive information from users interacting with affected web pages, potentially leading to account compromise or unauthorized access to user accounts. While the vulnerability does not directly impact data integrity or system availability, the exploitation could facilitate further attacks such as phishing or social engineering campaigns targeting customers or employees. E-commerce platforms and businesses relying on XStore themes for their online storefronts may face reputational damage and loss of customer trust if exploited. Additionally, regulatory frameworks such as the GDPR impose strict requirements on protecting personal data, and exploitation of this vulnerability could lead to compliance issues and financial penalties if personal data is compromised.

To mitigate this vulnerability, European organizations should implement the following specific measures: 1) Immediately review and update the 8theme XStore product to the latest version once a patch is released by the vendor. 2) In the absence of a patch, apply web application firewall (WAF) rules to detect and block common XSS attack patterns targeting the affected endpoints. 3) Conduct a thorough code review and sanitize all user inputs that are reflected in web pages, using context-appropriate encoding (e.g., HTML entity encoding) to neutralize script tags and attributes. 4) Employ Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of potential XSS attacks. 5) Educate developers and administrators on secure coding practices to prevent similar vulnerabilities. 6) Monitor web traffic and logs for unusual activity that may indicate exploitation attempts. 7) Perform regular security assessments and penetration testing focusing on XSS vulnerabilities in the web application environment.