Stored XSS Vulnerability in FiboSearch Plugin for WooCommerce by WordPress
CVE-2025-14298

5.4MEDIUM

Key Information:

Vendor: WordPress
Status: Fibosearch – Ajax Search For WooCommerce
Vendor: CVE Published:; 20 December 2025

What is CVE-2025-14298?

The FiboSearch – Ajax Search for WooCommerce plugin for WordPress is susceptible to a Stored Cross-Site Scripting (XSS) vulnerability through the thegem_te_search shortcode. This flaw arises from inadequate input sanitization and output escaping of user-supplied attributes, enabling authenticated attackers with Contributor-level access and higher to inject malicious web scripts. Such scripts will execute when a user accesses a compromised page. The vulnerability necessitates the installation of TheGem theme in Header Builder mode, alongside the 'Replace search bars' option enabled for TheGem integration.

Affected Version(s)

FiboSearch – Ajax Search for WooCommerce * <= 1.32.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/ajax-search-for-woocommerce

https://plugins.trac.wordpress.org/browser/ajax-search-fo...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 20, 2025
Vulnerability Reserved
Dec 8, 2025

Credit

Djaidja Moundjid

JSON