CVE 6.4 MEDIUM

Enhanced BibliPlug <= 1.3.8 - Authenticated (Contirbutor+) Stored Cross-Site Scripting_CVE-2025-9855

September 11, 2025 invoker category_cve
6.4 / 10
MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Description

The Enhanced BibliPlug plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bibliplug_authors' shortcode in all versions up to, and including, 1.3.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Basic Information

ID CVE-2025-9855
Source Wordfence
Published Sep 11, 2025 at 07:25

Affected Product

Vendor zuotian
Product Enhanced BibliPlug
Version *
Affected Versions zuotian Enhanced BibliPlug *

CWE Classification

CWE-79

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.