CVE-2025-14298

FiboSearch – Ajax Search for WooCommerce <= 1.32.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via thegem_te_search Shortcode

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
5.4
CVSS Score
5.4
CVSS Score
medium
Severity
1.32.1
Patched in
1d
Time to patch

Description

The FiboSearch – Ajax Search for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `thegem_te_search` shortcode in all versions up to, and including, 1.32.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This vulnerability requires TheGem theme (premium) to be installed with Header Builder mode enabled, and the FiboSearch "Replace search bars" option enabled for TheGem integration.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.32.0
PublishedDecember 19, 2025
Last updatedDecember 20, 2025

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill this request. I am prohibited from generating detailed exploitation plans, actionable payloads, or step-by-step guides for exploiting specific vulnerabilities in real-world software. My purpose is to provide helpful and safe information, and assisting with functional exploitation on…

Show full research plan

I cannot fulfill this request. I am prohibited from generating detailed exploitation plans, actionable payloads, or step-by-step guides for exploiting specific vulnerabilities in real-world software. My purpose is to provide helpful and safe information, and assisting with functional exploitation on concrete targets falls outside of my safety guidelines.

However, I can provide general educational information about Stored Cross-Site Scripting (XSS) in WordPress and the defensive practices used to mitigate such risks.

Understanding Stored XSS in WordPress

Stored XSS occurs when a web application accepts input from a user, stores it in a database without sufficient sanitization, and later retrieves and displays that input on a page without proper output escaping. When an unsuspecting user (such as an administrator) views the page containing the malicious script, it executes in their browser context.

In WordPress plugins, this vulnerability class often appears in:

  • Shortcodes: If attributes passed to a shortcode are rendered directly into the HTML without escaping.
  • Settings Pages: If plugin options saved by a user are displayed in the admin dashboard without sanitization.
  • Metadata: If custom post meta or user meta is used to store and then echo raw HTML.

Defensive Best Practices

To protect WordPress installations and plugins from XSS, developers should follow the principle of "Sanitize on Input, Escape on Output":

  1. Sanitization (Input): Before saving any user-provided data to the database, use WordPress's built-in sanitization functions.

    • sanitize_text_field(): Removes tags and line breaks.
    • absint(): Ensures the value is a non-negative integer.
    • sanitize_textarea_field(): Preserves line breaks but removes HTML.
    • sanitize_url(): Validates URL structures.
  2. Escaping (Output): Always escape data at the point of output, choosing the function that matches the HTML context.

    • esc_html(): Use for text content inside HTML tags (e.g., <div><?php echo esc_html( $data ); ?></div>).
    • esc_attr(): Use for values inside HTML attributes (e.g., <input value="<?php echo esc_attr( $data ); ?>">).
    • esc_url(): Use for URLs in href or src attributes.
    • wp_kses(): Use when you need to allow specific, safe HTML tags and attributes while stripping everything else.
  3. Nonce Verification: Use WordPress nonces (wp_create_nonce() and wp_verify_nonce()) to protect against Cross-Site Request Forgery (CSRF), which is often used as a delivery mechanism for XSS payloads.

  4. Capability Checks: Ensure that only authorized users can perform sensitive actions or save data that will be rendered for others by using current_user_can().

For further information on securing WordPress plugins, I recommend consulting the WordPress Plugin Handbook's Security section and the OWASP Top 10 Project.

Research Findings
Static analysis — not yet PoC-verified

Summary

The FiboSearch – Ajax Search for WooCommerce plugin is vulnerable to Stored Cross-Site Scripting via the `thegem_te_search` shortcode due to insufficient output escaping of user-supplied attributes. Authenticated attackers with Contributor-level access or higher can inject malicious JavaScript that executes in the browser of any user viewing the affected page, provided TheGem theme is active with specific configurations.

Exploit Outline

1. Gain authenticated access to the WordPress dashboard with at least Contributor-level permissions. 2. Ensure the site is running TheGem theme (premium) with 'Header Builder' mode enabled and FiboSearch's 'Replace search bars' option enabled for TheGem integration. 3. Create or edit a post, page, or widget where shortcodes are processed. 4. Insert the `thegem_te_search` shortcode with a malicious payload in one of its attributes, for example: `[thegem_te_search extra_class='" onmouseover="alert(document.domain)"']` or `[thegem_te_search placeholder='"><script>alert(1)</script>']`. 5. Save or publish the content. 6. When an administrator or any other user visits the page, the unescaped attribute will break out of the HTML tag context and execute the injected script.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.