CVE-2025-64190 identifies a DOM-based Cross-site Scripting (XSS) vulnerability in the XStore Core plugin developed by 8theme.com, which is widely used in WordPress-based e-commerce websites. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, classified under CWE-79. This flaw allows an attacker to inject malicious JavaScript code into the DOM, which executes in the context of the victim's browser when they interact with the affected page. The vulnerability affects all versions of XStore Core prior to 5.6. The CVSS 3.1 base score is 6.5, indicating medium severity, with an attack vector of network (remote), low attack complexity, requiring privileges (PR:L) and user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability can affect resources beyond the initially vulnerable component. The impact includes partial loss of confidentiality, integrity, and availability, as malicious scripts can steal session tokens, manipulate page content, or perform actions on behalf of the user. No patches or exploit code are currently publicly available, and no known exploits in the wild have been reported. However, the vulnerability poses a significant risk to websites using this plugin, especially those handling sensitive user data or financial transactions. The issue highlights the importance of proper input validation and output encoding in web applications to prevent DOM-based XSS attacks.

For European organizations, particularly those operating e-commerce platforms or content management systems using WordPress with the XStore Core plugin, this vulnerability can lead to unauthorized access to user sessions, theft of sensitive data, and manipulation of website content. This can result in reputational damage, financial losses, and regulatory penalties under GDPR due to data breaches. The medium severity score reflects that while exploitation requires some privileges and user interaction, the potential for scope change and partial compromise of confidentiality, integrity, and availability is significant. Attackers could leverage this vulnerability to conduct phishing, spread malware, or escalate attacks within the network. Given the widespread use of WordPress and the popularity of XStore Core in Europe, the threat could impact a broad range of sectors including retail, finance, and services. The lack of known exploits currently provides a window for proactive mitigation before widespread exploitation occurs.

European organizations should immediately verify if their WordPress installations use the XStore Core plugin and identify the version in use. Upgrading to version 5.6 or later, once available, is the primary mitigation step. Until a patch is released, organizations should implement strict Content Security Policies (CSP) to restrict the execution of untrusted scripts and reduce the impact of DOM-based XSS. Web application firewalls (WAFs) can be configured to detect and block suspicious input patterns targeting this vulnerability. Developers should audit and sanitize all user inputs and outputs in the affected plugin components, employing proper encoding techniques to neutralize malicious scripts. Regular security scanning and penetration testing focused on DOM-based XSS can help identify residual risks. Additionally, educating users about the risks of interacting with suspicious links can reduce successful exploitation. Monitoring for unusual user behavior and session anomalies can aid in early detection of exploitation attempts.