CVE-2025-14000 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Membership Plugin – Restrict Content developed by stellarwp for WordPress. The flaw exists in all versions up to and including 3.2.15 and is due to insufficient input sanitization and output escaping on user-supplied attributes within the plugin's 'register_form' and 'restrict' shortcodes. This improper neutralization of input (CWE-79) allows authenticated attackers with contributor-level access or higher to inject arbitrary JavaScript code into pages generated by the plugin. Because the injected scripts are stored and rendered whenever any user visits the affected page, this can lead to persistent XSS attacks. The vulnerability requires authentication at a relatively low privilege level (contributor), does not require user interaction to trigger, and affects the confidentiality and integrity of user sessions and data. The CVSS 3.1 base score is 6.4, reflecting medium severity, with attack vector network, low attack complexity, privileges required at low level, no user interaction, and scope changed due to impact on other users. No public exploits or patches are currently available, but the vulnerability is publicly disclosed and should be addressed promptly. The plugin is widely used in WordPress environments for membership and content restriction, making the vulnerability relevant to many websites globally.

The vulnerability allows attackers with contributor-level access to inject malicious scripts that execute in the context of other users visiting the affected pages. This can lead to session hijacking, theft of sensitive information, unauthorized actions on behalf of users, defacement, or distribution of malware. Since the scope is changed, the impact extends beyond the attacker’s own privileges, potentially compromising administrators or other privileged users. Organizations relying on the Membership Plugin – Restrict Content for managing user access and memberships may face reputational damage, data breaches, and unauthorized access. The medium CVSS score reflects moderate risk, but the ease of exploitation by authenticated users and the persistent nature of the attack increase the threat. The absence of known exploits in the wild reduces immediate risk but does not eliminate it, especially as attackers may develop exploits following public disclosure. The vulnerability affects the confidentiality and integrity of data but does not impact availability directly.

1. Monitor the vendor’s official channels for patches and apply updates immediately once available. 2. Until a patch is released, restrict contributor-level user privileges to trusted individuals only, minimizing the risk of malicious script injection. 3. Implement strict input validation and output encoding on all user-supplied data in custom code or overrides related to the plugin. 4. Deploy a Web Application Firewall (WAF) with rules to detect and block XSS payloads, particularly targeting the plugin’s shortcode parameters. 5. Conduct regular security audits and code reviews of WordPress plugins and themes to identify similar vulnerabilities. 6. Educate site administrators and users about the risks of granting contributor-level access and enforce the principle of least privilege. 7. Use Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on the website. 8. Monitor logs and user activity for suspicious behavior indicative of exploitation attempts.