Skip to main content

WordPress CVE-2025-63000

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2025-12-31 audit@patchstack.com
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:43 NVD
6.5 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 09:15 nvd
N/A

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpforchurch Sermon Manager sermon-manager-for-wordpress allows Stored XSS.This issue affects Sermon Manager: from n/a through <= 2.30.0.

AnalysisAI

Stored cross-site scripting (XSS) in wpforchurch Sermon Manager WordPress plugin through version 2.30.0 allows authenticated users to inject malicious scripts that persist in the database and execute in the browsers of site administrators and other users. The vulnerability affects sermon content input validation, enabling attackers with contributor or editor privileges to compromise website integrity and steal sensitive data from higher-privileged users.

Technical ContextAI

This vulnerability exploits improper input sanitization and output encoding in the Sermon Manager plugin for WordPress, a plugin designed to manage sermon content within WordPress sites. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), which occurs when user-supplied input from sermon creation or editing forms is stored in the database without adequate sanitization and subsequently rendered on the front-end or admin pages without proper HTML entity encoding. WordPress plugins are particularly susceptible to this class of vulnerability when they fail to use WordPress's built-in sanitization functions (sanitize_text_field, wp_kses_post) during data input and escaping functions (esc_html, esc_attr, wp_kses_post) during output. The stored nature of this XSS means the payload persists across sessions and affects multiple users rather than just the attacker's session.

Affected ProductsAI

The vulnerability affects the wpforchurch Sermon Manager plugin (CPE identifier: WordPress plugin sermon-manager-for-wordpress) through version 2.30.0 and potentially earlier versions. The advisory does not specify a minimum affected version, suggesting all versions up to and including 2.30.0 are impacted. WordPress installations running Sermon Manager 2.30.0 or earlier with contributor or editor users are in scope.

RemediationAI

Update Sermon Manager to version 2.30.1 or later immediately, as the patched version addresses the input validation and output encoding defects. Access the WordPress plugin dashboard, navigate to Plugins > Installed Plugins, locate Sermon Manager, and click Update if available. Alternatively, download the latest version from the WordPress plugin repository at https://patchstack.com/database/Wordpress/Plugin/sermon-manager-for-wordpress/. As an interim mitigation on sites unable to update immediately, restrict sermon creation and editing capabilities to administrator accounts only using WordPress role management, and regularly audit existing sermon content for suspicious scripts using the WordPress plugin security scanner or manual database review. Clear any cached plugin code after updating to ensure the patched version is active.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

CVE-2025-63000 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy