The FiboSearch – Ajax Search for WooCommerce plugin for WordPress is susceptible to a Stored Cross-Site Scripting (XSS) vulnerability through the thegem_te_search shortcode. This flaw arises from inadequate input sanitization and output escaping of user-supplied attributes, enabling authenticated attackers with Contributor-level access and higher to inject malicious web scripts. Such scripts will execute when a user accesses a compromised page. The vulnerability necessitates the installation of TheGem theme in Header Builder mode, alongside the 'Replace search bars' option enabled for TheGem integration.
https://securityvulnerability.io/vulner ... 2025-14298