The FiboSearch – Ajax Search for WooCommerce plugin for WordPress suffers from a stored Cross-Site Scripting vulnerability (CWE-79) via the thegem_te_search shortcode. This vulnerability is due to improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of user-supplied shortcode attributes. Attackers with authenticated Contributor-level or higher privileges can inject arbitrary JavaScript that executes in the context of users viewing the injected pages. Successful exploitation requires the TheGem premium theme with Header Builder mode enabled and the FiboSearch "Replace search bars" option enabled for TheGem integration. The vulnerability affects all plugin versions up to 1.32.0. The CVSS 3.1 score is 5.4 (medium severity), reflecting network attack vector, low attack complexity, privileges required, user interaction required, and partial confidentiality and integrity impact. No patch or remediation details are provided in the available data.

An authenticated attacker with Contributor-level or higher access can inject persistent malicious scripts into pages via the vulnerable shortcode. These scripts execute whenever users access the compromised pages, potentially leading to partial confidentiality and integrity impacts such as session hijacking or unauthorized actions within the affected site context. The vulnerability does not impact availability. Exploitation requires specific plugin and theme configurations, limiting the attack surface.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, consider disabling the TheGem theme's Header Builder mode or the FiboSearch "Replace search bars" option for TheGem integration to reduce exposure. Restrict Contributor-level access to trusted users only. Monitor vendor channels for updates and apply official patches promptly once available.