CVE-2025-59556: 
WordPress vulnerability analysis and mitigation

The GoStore WordPress theme was found to contain a Reflected Cross-Site Scripting vulnerability (CVE-2025-59556) affecting all versions prior to 1.6.4. The vulnerability was discovered by Tran Nguyen Bao Khanh from VCI - VNPT Cyber Immunity and was publicly disclosed on October 15, 2025 (WPScan, Patchstack).

The vulnerability is classified as a Reflected Cross-Site Scripting (XSS) issue, categorized under OWASP Top 10 A7 and CWE-79. The security flaw stems from insufficient input sanitization and output escaping in the theme's code. The vulnerability has received a CVSS score of 6.1 (medium) according to WPScan, while Patchstack rates it at 7.1, indicating a moderately dangerous security risk (WPScan, Patchstack).

The vulnerability allows unauthenticated attackers to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts will execute when users visit the affected pages, potentially compromising the security of site visitors (Patchstack).

Website administrators are advised to update the GoStore theme to version 1.6.4 or later, which contains the fix for this vulnerability. Patchstack has issued a mitigation rule to block any attacks until users can update to the fixed version (Patchstack).