The vulnerability CVE-2025-64189 affects the 8theme XStore Core plugin, specifically versions prior to 5.6. It is caused by improper neutralization of input during web page generation, resulting in a reflected cross-site scripting (XSS) flaw. This allows attackers to inject malicious scripts that can execute in the victim's browser when they interact with crafted input. The CVSS v3.1 score is 7.1 (high), with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, indicating network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and impacts on confidentiality, integrity, and availability at a low level. There are no vendor-provided patches or advisories linked in the data, and no known exploits in the wild have been reported.

Successful exploitation of this vulnerability can lead to execution of arbitrary scripts in the context of the affected web application, potentially allowing attackers to steal user credentials, manipulate content, or perform actions on behalf of the user. The impact includes limited confidentiality, integrity, and availability loss as indicated by the CVSS vector. Since it is a reflected XSS, exploitation requires user interaction (e.g., clicking a crafted link).

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official patch or fix is referenced, users of 8theme XStore Core should monitor the vendor's communications for updates and apply any official patches once available. In the meantime, consider implementing web application firewall (WAF) rules to detect and block reflected XSS attempts and educate users about the risks of clicking untrusted links related to the affected application.