WWordPress Vulnerability Database

Hong Kong Cybersecurity Alert WordPress SuperSearch XSS(CVE20258064)

WordPress Bible SuperSearch plugin
0
Shares
0
0
0
0






Bible SuperSearch <= 6.0.1 — Authenticated (Contributor+) Stored XSS via selector_height: What site owners and developers must do now


Plugin Name Bible SuperSearch
Type of Vulnerability Cross-Site Scripting (XSS)
CVE Number CVE-2025-8064
Urgency Low
CVE Publish Date 2025-08-20
Source URL CVE-2025-8064

Bible SuperSearch <= 6.0.1 — Authenticated (Contributor+) Stored XSS via selector_height: What site owners and developers must do now

Author: Hong Kong Security Expert  |  Date: 2025-08-20

TL;DR

A stored Cross‑Site Scripting (XSS) vulnerability affecting the WordPress plugin “Bible SuperSearch” (versions ≤ 6.0.1) has been disclosed (CVE‑2025‑8064). An authenticated user with Contributor privileges or higher can inject a payload via the plugin’s selector_height parameter. The payload is persisted and can execute later in the context of administrators or site visitors. The plugin author fixed the issue in version 6.1.0.

Immediate actions (quick list):

  • Update Bible SuperSearch to 6.1.0 (or later) immediately.
  • If you cannot update right away, restrict Contributor+ accounts, disable the plugin, or apply virtual patching via your hosting/WAF provider.
  • Scan your database and widget/plugin settings for suspicious selector_height values or embedded script tags and remove them.
  • Perform credential hygiene for accounts with elevated privileges and monitor logs for signs of exploitation.

This guide provides technical context, realistic attack scenarios, detection steps, containment measures, developer hardening advice, and practical WAF signatures and monitoring suggestions. The tone is practical and oriented towards site operators and plugin developers; advice is vendor-neutral.

Overview: what happened and why it matters

On 20 August 2025 a stored XSS vulnerability (CVE‑2025‑8064) in Bible SuperSearch ≤ 6.0.1 was disclosed. An authenticated Contributor (or higher) can submit data via selector_height which the plugin stores and later outputs without sufficient sanitization/escaping. Because the value is persisted, the injected markup or script executes in the browser of administrators, editors, or public visitors depending on output context.

Stored XSS is particularly dangerous: the payload persists server‑side and executes every time the vulnerable output is rendered. Consequences include administrative takeover, session theft, persistent site defacement, and distribution of client‑side malware.

Although this vulnerability requires a Contributor account to exploit (reducing immediacy compared to unauthenticated flaws), Contributor accounts are common and can be abused or compromised. Treat the presence of such a flaw as a meaningful operational risk.

Which versions are affected and where it was fixed

  • Affected versions: Bible SuperSearch ≤ 6.0.1
  • Fixed in: 6.1.0
  • CVE: CVE‑2025‑8064
  • Required privilege: Contributor

How the vulnerability works — technical summary (non‑vendor)

At a high level:

  1. The plugin accepts a selector_height parameter (widget settings, shortcode attributes, admin form or AJAX).
  2. The value is stored in persistent storage (postmeta, options, widget settings) without adequate validation or sanitization.
  3. Later, the stored value is rendered into a page or admin UI without proper escaping, allowing HTML/JS execution.
  4. An attacker can insert payloads such as or . When an admin loads a page showing the stored value, the browser executes the payload in that user’s session context.

Because stored XSS payloads persist, the attacker’s code can be triggered repeatedly and used to escalate access, create persistent backdoors, or exfiltrate authentication tokens.

Realistic exploitation scenarios

  1. Malicious insider or compromised Contributor account — A contributor injects a payload into widget or plugin settings that executes when an Editor/Admin views the affected area.
  2. Guest posting/editorial workflows — A Contributor submitting posts or authoring content may embed payloads that trigger during editorial preview or when Editors approve content.
  3. Mass exploitation via account creation — If an attacker registers many Contributor accounts (weak registration policy), they can plant multiple payloads to persist across admin views.
  4. Automated scanning and injection — Opportunistic attackers scan for installations of the vulnerable plugin and post payloads automatically to exposed endpoints.

Impact and what an attacker can do

Stored XSS enables an attacker to:

  • Steal cookies or session tokens and attempt account takeover.
  • Perform actions via an admin’s browser (CSRF‑style operations).
  • Install backdoors by issuing authenticated requests from an administrator’s session.
  • Inject spam, redirect traffic, or load client‑side malware.

Detection and indicators of compromise (IoCs)

Inspect the following:

  • Plugin configuration values, widget options, postmeta and options for embedded HTML or JS (look for