Description
The Bible SuperSearch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘selector_height’ parameter in all versions up to, and including, 6.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-08-21
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting that allows execution of arbitrary scripts for any site visitor
Action: Apply Patch
AI Analysis

Impact

The Bible SuperSearch WordPress plugin contains a stored cross‑site scripting flaw via the selector_height parameter. The flaw exists because the input is not sufficiently sanitized and the output is not properly escaped. An authenticated user with Contributor level or higher can inject malicious JavaScript that executes on every visit to the affected page, potentially enabling defacement, credential theft, or session hijacking.

Affected Systems

All versions of the Bible SuperSearch plugin up to and including 6.0.1 released by aicwebtech are impacted. The vulnerability affects any WordPress site that uses this plugin and has users with Contributor or higher privileges, as those roles are required to inject the stored payload.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity, and an EPSS value below 1% suggests a low probability of exploitation at present. Because the flaw is not listed in CISA KEV, it has not yet been cataloged as a known exploited vulnerability. The attack requires a legitimate contributor account; once the attacker injects the payload, every site visitor that accesses the stored data will run the malicious script, giving the attacker broad impact on that site.

Generated by OpenCVE AI on April 22, 2026 at 16:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Bible SuperSearch plugin to the latest version available from the WordPress repository or the project’s official source, ensuring the selector_height XSS fix is applied.
  • Restrict the Contributor role and other elevated privileges to trusted users only, limiting the number of accounts that can create the stored payload.
  • Deploy a web application firewall rule or server‑side validation that sanitizes or blocks script content supplied to the selector_height parameter, preventing execution even if a contributor account is compromised.

Generated by OpenCVE AI on April 22, 2026 at 16:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-25422 The Bible SuperSearch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘selector_height’ parameter in all versions up to, and including, 6.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Thu, 21 Aug 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 21 Aug 2025 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 21 Aug 2025 09:45:00 +0000

Type Values Removed Values Added
Description The Bible SuperSearch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘selector_height’ parameter in all versions up to, and including, 6.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Bible SuperSearch <= 6.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via selector_height Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:38:10.364Z

Reserved: 2025-07-22T21:21:00.367Z

Link: CVE-2025-8064

cve-icon Vulnrichment

Updated: 2025-08-21T13:50:26.975Z

cve-icon NVD

Status : Deferred

Published: 2025-08-21T10:15:30.170

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-8064

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T17:00:12Z

Weaknesses