CVE-2025-64191 is a reflected Cross-site Scripting vulnerability in 8theme XStore versions before 9.6.1. It results from improper input neutralization during web page generation, enabling attackers to inject malicious scripts that execute in users' browsers. The vulnerability has a CVSS 3.1 score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network attack vector, low attack complexity, no privileges required, user interaction needed, scope changed, and low impact on confidentiality, integrity, and availability. No patch or vendor advisory is currently available, and no known active exploitation has been reported.

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary scripts in the context of a victim's browser, potentially leading to information disclosure, session hijacking, or other impacts on confidentiality, integrity, and availability. The reflected nature means the attack requires user interaction, such as clicking a crafted link. The CVSS score of 7.1 reflects a high severity with potential partial loss of confidentiality, integrity, and availability.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should exercise caution with untrusted input and consider implementing web application firewall (WAF) rules to detect and block reflected XSS attempts. Monitor official 8theme channels for updates and apply patches promptly once available.