CVE-2024-33559

CRITICAL

8theme XStore <9.3.5 - SQL Injection

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2024-33559. PoCs published by Abdualhadi khalifa, absholi7ly.

AI-analyzed exploit summary This exploit demonstrates a SQL injection vulnerability in WordPress Theme XStore 9.3.8 via a crafted POST request. The payload injects a SQL query into the search parameter, potentially allowing unauthorized database access.

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in 8theme XStore allows SQL Injection.This issue affects XStore: from n/a through 9.3.5.

Exploits (2)

exploitdb WORKING POC

by Abdualhadi khalifa · textwebappsphp

https://www.exploit-db.com/exploits/52019

View Code ZIP pw:eip

This exploit demonstrates a SQL injection vulnerability in WordPress Theme XStore 9.3.8 via a crafted POST request. The payload injects a SQL query into the search parameter, potentially allowing unauthorized database access.

Classification

Working Poc 90%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: WordPress Theme XStore 9.3.8

No auth needed

Prerequisites: Target running WordPress with XStore theme version 9.3.8 · Access to the target's web interface

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 9 stars

by absholi7ly · poc

https://github.com/absholi7ly/WordPress-XStore-theme-SQL-Injection

View Code ZIP pw:eip

The repository contains a functional proof-of-concept for a SQL injection vulnerability in the WordPress XStore theme (CVE-2024-33559). The PoC demonstrates an unauthenticated SQLi via a crafted POST request to the search parameter.

Classification

Working Poc 90%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: WordPress XStore theme (8theme)

No auth needed

Prerequisites: Target running vulnerable XStore theme · Access to the WordPress search endpoint

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (1)

Core 1

Core References

Third Party Advisory vdb-entry

https://patchstack.com/database/vulnerability/xstore/wordpress-xstore-theme-9-3-5-unauthenticated-sql-injection-vulnerability?_s_id=cve

Scores

CVSS v3 9.3

EPSS 0.0672

EPSS Percentile 91.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-89

Status published

Products (1)

8theme/XStore < 9.3.5

Published Apr 29, 2024

Tracked Since Feb 18, 2026