Security Alert: Is Your Library Book Carousel Putting Patrons at Risk?

The Library Bookshelves WordPress plugin is a popular tool used by thousands of libraries to create book carousels and virtual displays. If your library currently uses this plugin, you may be unknowingly exposing your patrons and your website to serious cyberattacks due to critical, unpatched vulnerabilities discovered in September 2025.

Recent security research (2024–2025) has identified Stored Cross-Site Scripting (XSS) vulnerabilities within this plugin that remain unpatched.

The Risk to Your Library
The vulnerability (specifically CVE-2025-57964) allows an attacker to inject malicious scripts into your website. Because this is a “Stored” XSS attack, the malicious code stays on your page and executes automatically in the browser of anyone who visits your site.

How an exploited website can impact your patrons:

  • Malicious Redirects: Patrons trying to view your book recommendations could be automatically redirected to phishing sites or “scam” pages that look like your library catalog.
  • Data Theft: Scripts can be designed to capture keystrokes or steal “session cookies,” potentially compromising a patron’s account if they are logged into your site or catalog.
  • Malware Distribution: In extreme cases, these vulnerabilities can be used to prompt patrons to download “updates” that are actually viruses or ransomware.

Technical Breakdown

  • Plugin: Library Bookshelves (by photonicgnostic)
  • Vulnerability Type: Authenticated Stored Cross-Site Scripting (XSS)
  • Affected Versions: All versions up to and including 5.11.
  • CVE IDs: CVE-2025-57964, CVE-2024-13464, CVE-2024-11359.
  • Current Status: No known patch available for version <=5.11 as of January 2026.

A Pattern of Vulnerability

While the developer has released updates in the past, the Library Bookshelves plugin has demonstrated a recurring “habit” of security vulnerabilities. As soon as one hole is patched, a new, similar vulnerability is often discovered.

In the last months alone, multiple critical flaws have been recorded:

  • September 2025: CVE-2025-57964 (Unpatched in v5.11)
  • February 2025: CVE-2024-13464 (Patched in v5.10)
  • December 2024: CVE-2024-11359 (Patched in v5.9)
  • November 2024: CVE-2024-52453 (Patched in v5.8)

This cycle of “patch-and-fail” suggests that the underlying code lacks the modern security “sanitization” needed to keep your website safe. For many libraries, the risk of waiting for the next patch, only for a new vulnerability to appear is becoming too high.