CVE-2025-64190 identifies a DOM-based Cross-site Scripting (XSS) vulnerability in the 8theme XStore Core plugin, affecting versions prior to 5.6. The vulnerability stems from improper neutralization of user input during web page generation, which allows malicious scripts to be injected and executed in the context of a victim's browser. This type of XSS is particularly dangerous because it exploits client-side scripts that dynamically generate web content, making traditional server-side input validation insufficient. The attack requires low privileges (PR:L) and user interaction (UI:R), such as clicking a crafted link or visiting a malicious page, to trigger the exploit. The vulnerability has a CVSS vector of AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L, indicating network attack vector, low attack complexity, low privileges required, user interaction needed, scope change, and low impact on confidentiality, integrity, and availability individually but combined impact is significant. Although no known exploits are currently reported in the wild, the vulnerability affects a widely used WordPress plugin that powers many e-commerce sites, increasing the potential attack surface. The vulnerability can lead to session hijacking, theft of sensitive information, unauthorized actions on behalf of users, and disruption of service. The lack of an official patch at the time of reporting necessitates immediate mitigation efforts by administrators.

The vulnerability could allow attackers to execute arbitrary JavaScript in the browsers of users visiting affected websites, leading to theft of session cookies, credentials, and other sensitive data. This compromises user confidentiality and integrity, enabling account takeover or fraudulent transactions. The availability of the service can also be impacted if attackers inject scripts that disrupt normal site functionality or perform denial-of-service actions. Given the plugin's prevalence in e-commerce platforms, the impact extends to financial losses, reputational damage, and regulatory compliance issues for affected organizations. The requirement for user interaction limits automated exploitation but does not significantly reduce risk due to common user behaviors such as clicking links or visiting compromised sites. The scope change (S:C) indicates that the vulnerability affects resources beyond the vulnerable component, potentially impacting the entire web application and its users.

Organizations should monitor 8theme's official channels for security patches and apply updates to XStore Core promptly once available. In the interim, implement strict client-side input validation and output encoding to neutralize potentially malicious inputs. Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of XSS attacks. Review and harden user privilege assignments to minimize the risk posed by low-privilege accounts. Employ web application firewalls (WAFs) with rules designed to detect and block XSS payloads targeting the plugin. Conduct regular security assessments and penetration testing focusing on client-side vulnerabilities. Educate users about the risks of clicking untrusted links and encourage safe browsing practices. Finally, monitor logs and network traffic for signs of exploitation attempts or anomalous behavior related to the vulnerability.