{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-8064", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-07-22T21:21:00.367Z", "datePublished": "2025-08-21T09:26:02.544Z", "dateUpdated": "2026-04-08T16:38:10.364Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:38:10.364Z"}, "affected": [{"vendor": "aicwebtech", "product": "Bible SuperSearch", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "6.0.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Bible SuperSearch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018selector_height\u2019 parameter in all versions up to, and including, 6.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Bible SuperSearch <= 6.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via selector_height Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1ada39db-b316-4270-ac9c-3770b473d6a8?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/biblesupersearch/trunk/wp/class.shortcodes.php#L270"}, {"url": "https://wordpress.org/plugins/biblesupersearch/#developers"}, {"url": "https://plugins.trac.wordpress.org/changeset/3345278/"}, {"url": "https://github.com/aicwebtech/Bible-SuperSearch-WordPress-Plugin/commit/535e1a48a6d6135020209adfd9881a0c1878b741#diff-e60090bad955f035bce7cebd3a9a1e9555f5692fa74c17a24a31cfc1557d04d6"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Peter Thaleikis"}], "timeline": [{"time": "2025-07-25T14:42:32.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-08-20T20:41:27.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-21T13:50:22.741517Z", "id": "CVE-2025-8064", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-21T13:50:33.314Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-8064", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-21T13:50:22.741517Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-21T13:50:26.975Z"}}], "cna": {"title": "Bible SuperSearch <= 6.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via selector_height Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Peter Thaleikis"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "aicwebtech", "product": "Bible SuperSearch", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "6.0.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-07-25T14:42:32.000+00:00", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-08-20T20:41:27.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1ada39db-b316-4270-ac9c-3770b473d6a8?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/biblesupersearch/trunk/wp/class.shortcodes.php#L270"}, {"url": "https://wordpress.org/plugins/biblesupersearch/#developers"}, {"url": "https://plugins.trac.wordpress.org/changeset/3345278/"}, {"url": "https://github.com/aicwebtech/Bible-SuperSearch-WordPress-Plugin/commit/535e1a48a6d6135020209adfd9881a0c1878b741#diff-e60090bad955f035bce7cebd3a9a1e9555f5692fa74c17a24a31cfc1557d04d6"}], "descriptions": [{"lang": "en", "value": "The Bible SuperSearch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018selector_height\u2019 parameter in all versions up to, and including, 6.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-08-21T09:26:02.544Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8064", "state": "PUBLISHED", "dateUpdated": "2025-08-21T13:50:33.314Z", "dateReserved": "2025-07-22T21:21:00.367Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-08-21T09:26:02.544Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Bible SuperSearch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018selector_height\u2019 parameter in all versions up to, and including, 6.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento Bible SuperSearch para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s del par\u00e1metro 'selector_height' en todas las versiones hasta la 6.0.1 incluida, debido a una depuraci\u00f3n de entrada y un escape de salida insuficientes. Esto permite a atacantes autenticados, con acceso de colaborador o superior, inyectar scripts web arbitrarios en las p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."}], "id": "CVE-2025-8064", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-08-21T10:15:30.170", "references": [{"source": "security@wordfence.com", "url": "https://github.com/aicwebtech/Bible-SuperSearch-WordPress-Plugin/commit/535e1a48a6d6135020209adfd9881a0c1878b741#diff-e60090bad955f035bce7cebd3a9a1e9555f5692fa74c17a24a31cfc1557d04d6"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/biblesupersearch/trunk/wp/class.shortcodes.php#L270"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3345278/"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/biblesupersearch/#developers"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1ada39db-b316-4270-ac9c-3770b473d6a8?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T16:59:23.020167+00:00", "value": {"mitigation_remediation": ["Upgrade the Bible SuperSearch plugin to the latest version available from the WordPress repository or the project\u2019s official source, ensuring the selector_height XSS fix is applied.", "Restrict the Contributor role and other elevated privileges to trusted users only, limiting the number of accounts that can create the stored payload.", "Deploy a web application firewall rule or server\u2011side validation that sanitizes or blocks script content supplied to the selector_height parameter, preventing execution even if a contributor account is compromised."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting that allows execution of arbitrary scripts for any site visitor"}, "threat_synthesis": {"affected_systems": "All versions of the Bible SuperSearch plugin up to and including 6.0.1 released by aicwebtech are impacted. The vulnerability affects any WordPress site that uses this plugin and has users with Contributor or higher privileges, as those roles are required to inject the stored payload.", "description_and_impact": "The Bible SuperSearch WordPress plugin contains a stored cross\u2011site scripting flaw via the selector_height parameter. The flaw exists because the input is not sufficiently sanitized and the output is not properly escaped. An authenticated user with Contributor level or higher can inject malicious JavaScript that executes on every visit to the affected page, potentially enabling defacement, credential theft, or session hijacking.", "risk_and_exploitability": "The CVSS score of 6.4 indicates moderate severity, and an EPSS value below 1% suggests a low probability of exploitation at present. Because the flaw is not listed in CISA KEV, it has not yet been cataloged as a known exploited vulnerability. The attack requires a legitimate contributor account; once the attacker injects the payload, every site visitor that accesses the stored data will run the malicious script, giving the attacker broad impact on that site."}}}}, "created": "2025-08-21T12:30:43.529050+00:00", "updated": "2026-04-22T17:00:12.347566+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}