CVE-2025-14298

The FiboSearch – Ajax Search for WooCommerce plugin (versions up to and including 1.32.0) contains a stored cross-site scripting (XSS) vulnerability in its thegem_te_search shortcode. The root cause is inadequate input sanitization and output escaping on user-supplied attributes, allowing malicious scripts to be injected into pages and executed when a user visits the compromised page.

Exploitation requires that the attacker has at least Contributor-level access to the WordPress site, and the site must be using TheGem (premium) theme with Header Builder mode enabled. Additionally, the FiboSearch "Replace search bars" option must be enabled for TheGem integration. An authenticated attacker with these conditions can craft a shortcode attribute containing JavaScript payloads, which will be stored and later rendered unsafely on the frontend.

Successful exploitation results in arbitrary JavaScript execution in the context of any user accessing the injected page. This could lead to session hijacking, defacement, or theft of sensitive information such as cookies or credentials. Because the script executes in the browser of any visitor, the impact can be widespread in a WooCommerce store.

As of the reference advisory, patches have not been explicitly confirmed in the provided text. The plugin's official page [1] provides the download and changelog; users should update to a patched version if available. Until then, restricting contributor access and disabling the vulnerable shortcode integration are potential mitigations.