The Sermon Manager plugin for WordPress, widely used by churches and religious organizations to manage and display sermon content, contains a stored cross-site scripting (XSS) vulnerability identified as CVE-2025-12368. This vulnerability exists in the handling of the 'sermon-views' shortcode, where user-supplied attributes are insufficiently sanitized and improperly escaped before being rendered on web pages. As a result, authenticated users with Contributor-level privileges or higher can inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation. The CVSS v3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No patches or fixes are currently linked, and no active exploitation has been reported. The vulnerability affects all versions up to and including 2.30.0 of the Sermon Manager plugin. Given the plugin’s use in WordPress environments, the vulnerability could be leveraged to target religious organizations’ websites, potentially undermining trust and exposing sensitive user data.

The primary impact of this vulnerability is the potential compromise of user confidentiality and integrity on affected WordPress sites using the Sermon Manager plugin. Attackers with Contributor-level access can inject malicious scripts that execute in the browsers of site visitors or administrators, enabling theft of session cookies, redirection to malicious sites, or execution of unauthorized actions. This can lead to account takeover, defacement, or further compromise of the website. Although availability is not directly affected, the reputational damage and loss of user trust can be significant, especially for organizations relying on their websites for community engagement and communication. The requirement for authenticated access limits the attack surface but does not eliminate risk, as Contributor-level accounts are common in collaborative environments. The scope of affected systems includes all WordPress sites using the vulnerable plugin version, which may be widespread among religious and community organizations globally. The absence of known exploits in the wild suggests limited current exploitation but also highlights the need for proactive mitigation before attackers develop weaponized payloads.

Organizations should immediately review user roles and permissions to restrict Contributor-level access to trusted individuals only. Implement strict input validation and output encoding on all user-supplied data, especially in shortcodes and plugin inputs. Monitor and audit user activities to detect suspicious behavior indicative of attempted script injection. Since no official patch is currently available, consider temporarily disabling the 'sermon-views' shortcode or the Sermon Manager plugin until a fix is released. Employ Web Application Firewalls (WAFs) with rules to detect and block common XSS payloads targeting this plugin. Educate site administrators and contributors on the risks of XSS and the importance of cautious content submission. Regularly update WordPress core and plugins to the latest versions once patches are released. Conduct security testing and code reviews on custom plugins or themes that interact with user input to prevent similar vulnerabilities.