CVE-2025-5534: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in calebzahnd ESV Bible Shortcode for WordPress
The ESV Bible Shortcode for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'esv' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AI Analysis
Technical Summary
CVE-2025-5534 is a stored Cross-Site Scripting (XSS) vulnerability identified in the ESV Bible Shortcode for WordPress plugin, developed by calebzahnd. This plugin allows users to embed Bible verses using the 'esv' shortcode. The vulnerability exists in all versions up to and including 1.0.2 due to improper input sanitization and insufficient output escaping of user-supplied attributes within the shortcode. Specifically, authenticated users with contributor-level access or higher can inject malicious JavaScript code into pages or posts via the shortcode attributes. Because this is a stored XSS, the injected script is saved in the WordPress database and executed whenever any user views the affected page, potentially compromising the confidentiality and integrity of user sessions. The CVSS v3.1 score is 6.4 (medium severity), reflecting that the attack vector is network-based (remote), requires low attack complexity, and privileges at the contributor level, but does not require user interaction. The scope is changed, meaning the vulnerability affects components beyond the initially vulnerable plugin, potentially impacting the entire WordPress site. The vulnerability does not affect availability but can lead to data theft, session hijacking, or unauthorized actions performed on behalf of users. No known exploits are reported in the wild yet, and no official patches have been linked at the time of publication. This vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation leading to XSS.
Potential Impact
For European organizations using WordPress sites with the ESV Bible Shortcode plugin, this vulnerability poses a significant risk to website integrity and user trust. Stored XSS can allow attackers to hijack user sessions, steal cookies, or perform actions as authenticated users, potentially leading to data breaches or defacement. Organizations in sectors such as education, religious institutions, non-profits, or any entity using this plugin to display scripture may be targeted. The impact includes loss of confidentiality of user data, potential reputational damage, and compliance risks under GDPR if personal data is compromised. Since the vulnerability requires contributor-level access, insider threats or compromised accounts could be leveraged to exploit this flaw. The scope change indicates that the vulnerability could affect multiple components or users beyond the initial plugin context, increasing the risk of widespread compromise within affected WordPress installations.
Mitigation Recommendations
1. Immediate mitigation involves restricting contributor-level user permissions to trusted individuals only, minimizing the risk of malicious shortcode injection. 2. Site administrators should monitor and audit existing content for suspicious shortcode usage or injected scripts, removing any malicious code found. 3. Implement Web Application Firewall (WAF) rules that detect and block malicious script patterns in shortcode attributes. 4. Disable or remove the ESV Bible Shortcode plugin if it is not essential to the website's functionality. 5. Since no official patch is currently available, organizations should follow the plugin developer's updates closely and apply patches promptly once released. 6. Employ Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of XSS attacks. 7. Educate content contributors on secure content creation practices and the risks of injecting untrusted code. 8. Regularly update WordPress core and all plugins to minimize exposure to known vulnerabilities.
Affected Countries
Germany, United Kingdom, France, Netherlands, Sweden, Italy, Spain, Poland
CVE-2025-5534: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in calebzahnd ESV Bible Shortcode for WordPress
Description
The ESV Bible Shortcode for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'esv' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AI-Powered Analysis
Technical Analysis
CVE-2025-5534 is a stored Cross-Site Scripting (XSS) vulnerability identified in the ESV Bible Shortcode for WordPress plugin, developed by calebzahnd. This plugin allows users to embed Bible verses using the 'esv' shortcode. The vulnerability exists in all versions up to and including 1.0.2 due to improper input sanitization and insufficient output escaping of user-supplied attributes within the shortcode. Specifically, authenticated users with contributor-level access or higher can inject malicious JavaScript code into pages or posts via the shortcode attributes. Because this is a stored XSS, the injected script is saved in the WordPress database and executed whenever any user views the affected page, potentially compromising the confidentiality and integrity of user sessions. The CVSS v3.1 score is 6.4 (medium severity), reflecting that the attack vector is network-based (remote), requires low attack complexity, and privileges at the contributor level, but does not require user interaction. The scope is changed, meaning the vulnerability affects components beyond the initially vulnerable plugin, potentially impacting the entire WordPress site. The vulnerability does not affect availability but can lead to data theft, session hijacking, or unauthorized actions performed on behalf of users. No known exploits are reported in the wild yet, and no official patches have been linked at the time of publication. This vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation leading to XSS.
Potential Impact
For European organizations using WordPress sites with the ESV Bible Shortcode plugin, this vulnerability poses a significant risk to website integrity and user trust. Stored XSS can allow attackers to hijack user sessions, steal cookies, or perform actions as authenticated users, potentially leading to data breaches or defacement. Organizations in sectors such as education, religious institutions, non-profits, or any entity using this plugin to display scripture may be targeted. The impact includes loss of confidentiality of user data, potential reputational damage, and compliance risks under GDPR if personal data is compromised. Since the vulnerability requires contributor-level access, insider threats or compromised accounts could be leveraged to exploit this flaw. The scope change indicates that the vulnerability could affect multiple components or users beyond the initial plugin context, increasing the risk of widespread compromise within affected WordPress installations.
Mitigation Recommendations
1. Immediate mitigation involves restricting contributor-level user permissions to trusted individuals only, minimizing the risk of malicious shortcode injection. 2. Site administrators should monitor and audit existing content for suspicious shortcode usage or injected scripts, removing any malicious code found. 3. Implement Web Application Firewall (WAF) rules that detect and block malicious script patterns in shortcode attributes. 4. Disable or remove the ESV Bible Shortcode plugin if it is not essential to the website's functionality. 5. Since no official patch is currently available, organizations should follow the plugin developer's updates closely and apply patches promptly once released. 6. Employ Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of XSS attacks. 7. Educate content contributors on secure content creation practices and the risks of injecting untrusted code. 8. Regularly update WordPress core and all plugins to minimize exposure to known vulnerabilities.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-06-03T15:03:15.841Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68429199182aa0cae20492e5
Added to database: 6/6/2025, 6:58:33 AM
Last enriched: 7/7/2025, 5:56:14 PM
Last updated: 8/3/2025, 11:21:19 PM
Views: 12
Related Threats
CVE-2025-30127: n/a
UnknownCVE-2025-20332: Incorrect Authorization in Cisco Cisco Identity Services Engine Software
MediumCVE-2025-20331: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Cisco Cisco Identity Services Engine Software
MediumCVE-2025-20215: Improper Certificate Validation in Cisco Cisco Webex Meetings
MediumCVE-2025-53786: CWE-287: Improper Authentication in Microsoft Microsoft Exchange Server Subscription Edition RTM
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.