CVE-2025-67930

Vulnerability

Overview

The eHive Search plugin for WordPress versions up to and including 2.5.0 contains a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw enables an attacker to inject arbitrary HTML and JavaScript into the plugin's output, which is then executed in the browser of a victim visiting a crafted link.

Exploitation

Requirements

Exploitation requires user interaction — while the vulnerability can be initiated by an unauthenticated attacker — requires user interaction. A privileged user (such as an administrator) must click a malicious link, visit a specially crafted page, or submit a form that triggers the reflected XSS [1]. The attacker does not need prior authentication to craft the malicious payload, but the victim must be logged into the WordPress site for the attack to succeed in some scenarios.

Impact

Successful exploitation allows an attacker to inject malicious scripts, including redirects, advertisements, and other HTML payloads, which execute when visitors access the affected site [1]. This can lead to session hijacking, defacement, or distribution of malware to site visitors.

Mitigation

The vendor has released version 2.5.1 which resolves the vulnerability. Users are strongly advised to update immediately. For those unable to update, Patchstack offers a mitigation rule to block attacks until the patch is applied [1]. The vulnerability is considered moderately dangerous and is expected to be used in mass-exploit campaigns targeting thousands of websites.