Skip to main content

CVE-2025-5534: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in calebzahnd ESV Bible Shortcode for WordPress

Medium
VulnerabilityCVE-2025-5534cvecve-2025-5534cwe-79
Published: Fri Jun 06 2025 (06/06/2025, 06:42:48 UTC)
Source: CVE Database V5
Vendor/Project: calebzahnd
Product: ESV Bible Shortcode for WordPress

Description

The ESV Bible Shortcode for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'esv' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AI-Powered Analysis

AILast updated: 07/07/2025, 17:56:14 UTC

Technical Analysis

CVE-2025-5534 is a stored Cross-Site Scripting (XSS) vulnerability identified in the ESV Bible Shortcode for WordPress plugin, developed by calebzahnd. This plugin allows users to embed Bible verses using the 'esv' shortcode. The vulnerability exists in all versions up to and including 1.0.2 due to improper input sanitization and insufficient output escaping of user-supplied attributes within the shortcode. Specifically, authenticated users with contributor-level access or higher can inject malicious JavaScript code into pages or posts via the shortcode attributes. Because this is a stored XSS, the injected script is saved in the WordPress database and executed whenever any user views the affected page, potentially compromising the confidentiality and integrity of user sessions. The CVSS v3.1 score is 6.4 (medium severity), reflecting that the attack vector is network-based (remote), requires low attack complexity, and privileges at the contributor level, but does not require user interaction. The scope is changed, meaning the vulnerability affects components beyond the initially vulnerable plugin, potentially impacting the entire WordPress site. The vulnerability does not affect availability but can lead to data theft, session hijacking, or unauthorized actions performed on behalf of users. No known exploits are reported in the wild yet, and no official patches have been linked at the time of publication. This vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation leading to XSS.

Potential Impact

For European organizations using WordPress sites with the ESV Bible Shortcode plugin, this vulnerability poses a significant risk to website integrity and user trust. Stored XSS can allow attackers to hijack user sessions, steal cookies, or perform actions as authenticated users, potentially leading to data breaches or defacement. Organizations in sectors such as education, religious institutions, non-profits, or any entity using this plugin to display scripture may be targeted. The impact includes loss of confidentiality of user data, potential reputational damage, and compliance risks under GDPR if personal data is compromised. Since the vulnerability requires contributor-level access, insider threats or compromised accounts could be leveraged to exploit this flaw. The scope change indicates that the vulnerability could affect multiple components or users beyond the initial plugin context, increasing the risk of widespread compromise within affected WordPress installations.

Mitigation Recommendations

1. Immediate mitigation involves restricting contributor-level user permissions to trusted individuals only, minimizing the risk of malicious shortcode injection. 2. Site administrators should monitor and audit existing content for suspicious shortcode usage or injected scripts, removing any malicious code found. 3. Implement Web Application Firewall (WAF) rules that detect and block malicious script patterns in shortcode attributes. 4. Disable or remove the ESV Bible Shortcode plugin if it is not essential to the website's functionality. 5. Since no official patch is currently available, organizations should follow the plugin developer's updates closely and apply patches promptly once released. 6. Employ Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of XSS attacks. 7. Educate content contributors on secure content creation practices and the risks of injecting untrusted code. 8. Regularly update WordPress core and all plugins to minimize exposure to known vulnerabilities.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Wordfence
Date Reserved
2025-06-03T15:03:15.841Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 68429199182aa0cae20492e5

Added to database: 6/6/2025, 6:58:33 AM

Last enriched: 7/7/2025, 5:56:14 PM

Last updated: 8/3/2025, 11:21:19 PM

Views: 12

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats