CVE-2025-12368
BaseFortify
Publication date: 2025-12-05
Last updated on: 2025-12-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wpforchurch | sermon_manager | 2.30.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying if the Sermon Manager plugin for WordPress is installed and running a version up to and including 2.30.0. Since the vulnerability involves the `sermon-views` shortcode allowing stored cross-site scripting via insufficient input sanitization, detection involves checking for the presence of this shortcode in posts or pages and monitoring for suspicious script injections in those fields. There are no specific commands provided in the resources to detect this vulnerability directly on a network or system. However, you can search your WordPress database or content for the presence of the `[sermon-views]` shortcode and inspect any user-supplied attributes for injected scripts. Additionally, monitoring HTTP requests to `admin-ajax.php` with the AJAX action `wp_ajax_wpfc_entry_views` may help identify exploitation attempts. Since no explicit detection commands are given, manual inspection and scanning for the vulnerable plugin version and shortcode usage is recommended. [2, 3]
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the Sermon Manager plugin for WordPress, affecting all versions up to 2.30.0. It occurs because the plugin does not properly sanitize or escape user-supplied input in the 'sermon-views' shortcode attributes. As a result, authenticated users with Contributor-level access or higher can inject malicious scripts into pages, which then execute whenever any user views those pages.
How can this vulnerability impact me? :
The vulnerability allows attackers with Contributor-level access or above to inject arbitrary scripts into web pages. This can lead to unauthorized actions such as stealing user session data, defacing the website, or performing actions on behalf of other users without their consent. It compromises the integrity and security of the affected website and its users.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the Sermon Manager plugin for WordPress to a version later than 2.30.0 once available. Until then, restrict Contributor-level access and above to trusted users only, and consider disabling the 'sermon-views' shortcode or removing user-supplied attributes to prevent exploitation.