Description
The BUKAZU Search widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'shortcode' parameter of the 'bukazu_search' shortcode in all versions up to, and including, 3.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-12-12
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting with Contributor+ privileges
Action: Patch Now
AI Analysis

Impact

The Bukazu Search Widget plugin for WordPress is vulnerable to stored cross‑site scripting due to insufficient sanitization of the 'shortcode' attribute in the 'bukazu_search' shortcode. An authenticated user with Contributor role or higher can persist arbitrary JavaScript in the widget configuration, which will then execute in the browsers of any visitor who loads a page containing the widget. This flaw enables an attacker to run client‑side code on all site visitors that view the affected page.

Affected Systems

All installations of the Bukazu Search Widget plugin by Bob Van Aorschot, up to and including version 3.3.2, are affected. Any WordPress site running this plugin version with the widget enabled and with users that have Contributor or higher roles may be impacted.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity, while the EPSS score of less than 1 % shows a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. An attacker must first be authenticated as a Contributor or higher, then create a malicious widget configuration using the unsanitized 'shortcode' attribute. Once persisted, any visitor to the page containing that widget will have the attacker‑supplied script executed in their browser, providing a significant client‑side attack surface.

Generated by OpenCVE AI on April 21, 2026 at 17:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Bukazu Search Widget plugin to version 3.3.3 or later, which removes the unsanitized shortcode attribute.
  • If an update is unavailable, remove the widget from all site pages or disable the plugin entirely until a patched version is released.
  • Restrict widget configuration permissions so that only Administrator users can edit the widget or revoke Contributor roles from users who do not need access to widget settings.

Generated by OpenCVE AI on April 21, 2026 at 17:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
References

Fri, 12 Dec 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Dec 2025 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 12 Dec 2025 03:45:00 +0000

Type Values Removed Values Added
Description The BUKAZU Search widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'shortcode' parameter of the 'bukazu_search' shortcode in all versions up to, and including, 3.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title BUKAZU Search widget <= 3.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'shortcode' Shortcode Attribute
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:13:29.717Z

Reserved: 2025-12-01T18:49:41.802Z

Link: CVE-2025-13840

cve-icon Vulnrichment

Updated: 2025-12-12T14:58:56.026Z

cve-icon NVD

Status : Deferred

Published: 2025-12-12T04:15:42.320

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13840

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T17:30:37Z

Weaknesses