{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9855", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-02T15:25:49.563Z", "datePublished": "2025-09-11T07:25:02.565Z", "dateUpdated": "2026-04-08T17:32:06.381Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:32:06.381Z"}, "affected": [{"vendor": "zuotian", "product": "Enhanced BibliPlug", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.3.8", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Enhanced BibliPlug plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bibliplug_authors' shortcode in all versions up to, and including, 1.3.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Enhanced BibliPlug <= 1.3.8 - Authenticated (Contirbutor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/efd5ce76-2f93-45f9-9822-b0f8b6fcff0b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/enhanced-bibliplug/trunk/bibliplug.php#L293"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Gilang Asra Bilhadi"}], "timeline": [{"time": "2025-09-10T18:44:54.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-11T13:31:51.031828Z", "id": "CVE-2025-9855", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-11T14:37:05.715Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9855", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-11T13:31:51.031828Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-11T13:31:52.813Z"}}], "cna": {"title": "Enhanced BibliPlug <= 1.3.8 - Authenticated (Contirbutor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Gilang Asra Bilhadi"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "zuotian", "product": "Enhanced BibliPlug", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.3.8"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-09-10T18:44:54.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/efd5ce76-2f93-45f9-9822-b0f8b6fcff0b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/enhanced-bibliplug/trunk/bibliplug.php#L293"}], "descriptions": [{"lang": "en", "value": "The Enhanced BibliPlug plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bibliplug_authors' shortcode in all versions up to, and including, 1.3.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-09-11T07:25:02.565Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9855", "state": "PUBLISHED", "dateUpdated": "2025-09-11T14:37:05.715Z", "dateReserved": "2025-09-02T15:25:49.563Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-09-11T07:25:02.565Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Enhanced BibliPlug plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bibliplug_authors' shortcode in all versions up to, and including, 1.3.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-9855", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-09-11T08:15:39.300", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/enhanced-bibliplug/trunk/bibliplug.php#L293"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/efd5ce76-2f93-45f9-9822-b0f8b6fcff0b?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T21:50:06.820824+00:00", "value": {"mitigation_remediation": ["Update the Enhanced BibliPlug plugin to any release newer than 1.3.8.", "Remove or disable any instances of the bibliplug_authors shortcode until the vulnerability is fixed, or ensure its attributes are properly sanitized before output.", "Restrict contributor and higher roles from adding or editing content that incorporates the bibliplug_authors shortcode."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "All releases of the Enhanced BibliPlug WordPress plugin up to and including version 1.3.8 are affected. Sites that host any of those versions and permit contributors or higher roles to insert content using the bibliplug_authors shortcode are vulnerable.", "description_and_impact": "The Enhanced BibliPlug WordPress plugin is vulnerable to stored cross\u2011site scripting via its bibliplug_authors shortcode. The plugin does not properly sanitize or escape user\u2011supplied attributes, allowing an authenticated user with contributor or higher role to embed arbitrary JavaScript that is executed whenever the affected page is viewed. This flaw is a classic CWE\u201179 type input handling weakness.", "risk_and_exploitability": "The CVSS score of 6.4 indicates moderate severity. The EPSS score of less than 1% suggests a low current probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires authenticated access at the contributor level or higher; once a malicious script is stored via the shortcode, it is delivered to all users who visit the affected page."}}}}, "created": "2025-09-12T08:03:07.934949+00:00", "updated": "2026-04-20T22:00:11.189258+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}