## CVE-2025-12368: Unpatched Stored XSS in Sermon Manager Shortcode Exposes WordPress Sites to Browser Attacks
A confirmed stored cross-site scripting vulnerability in the Sermon Manager WordPress plugin remains without an upstream patch, leaving websites vulnerable to authenticated attacks that execute malicious code in every visitor's browser. CVE-2025-12368 carries a CVSS score of 6.4 (Medium), but security researchers have flagged the flaw as a priority given its public CVE status and the trivial access requirements needed to exploit it. The vulnerability exists in the plugin's sermon-views shortcode handler, where user-supplied attributes are rendered without sanitization.

The sink is confirmed at `includes/vendor/entry-views.php:114`, where the shortcode's `$attr['before']` and `$attr['after']` parameters are concatenated directly into page output with no escaping. Any Contributor-level user—the most basic authoring role in WordPress—can embed malicious JavaScript within a post using the `[sermon-views before="<script>…"]` syntax. Every visitor to that post then executes the payload in their browser session, enabling session hijacking, credential theft, or further malware distribution. All versions of Sermon Manager through 2.30.0 are affected, and no official patch has been released by the upstream maintainers.

The exposure is amplified by the attacker's low privilege requirement. Contributor-level accounts are standard on multi-author WordPress installations, meaning the exploit surface extends well beyond administrator-compromise scenarios typical of plugin vulnerabilities. Organizations running Sermon Manager—or its Sermon Works fork, which inherits the flaw—should audit Contributor-level accounts for suspicious shortcode usage and consider disabling the vulnerable shortcode until a patch materializes. The absence of a vendor patch also raises concerns about the plugin's long-term maintenance and the viability of relying on it for production environments.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CVE-2025-12368, stored-xss, wordpress, plugin-vulnerability, sermon-manager
- **Credibility**: unverified
- **Published**: 2026-05-06 22:31:39
- **ID**: 79911
- **URL**: https://whisperx.ai/en/intel/79911