CVE-2025-14028 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the Contact Us Simple Form plugin for WordPress developed by bruterdregz. The vulnerability affects all versions up to and including 1.0. It arises from improper neutralization of input during web page generation, specifically due to insufficient sanitization and escaping of user-supplied attributes in the plugin's admin settings. An attacker with administrator-level access or higher can inject arbitrary JavaScript code into pages generated by the plugin. Because the malicious script is stored persistently, it executes whenever any user accesses the affected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability requires the attacker to have high privileges (administrator or above), no user interaction is needed for the payload to execute once injected, and the attack surface is limited to sites using this specific plugin. The CVSS v3.1 base score is 4.4, reflecting medium severity due to the high privilege requirement and lack of user interaction but with potential confidentiality and integrity impacts. No patches or known exploits are currently available or reported. The vulnerability was published on January 7, 2026, and was reserved on December 4, 2025. The scope is confined to WordPress sites running the vulnerable plugin versions.

The primary impact of CVE-2025-14028 is the potential compromise of confidentiality and integrity on affected WordPress sites. An attacker with administrator privileges can inject malicious scripts that execute in the context of users visiting the infected pages, enabling session hijacking, credential theft, or unauthorized actions performed with the victim's privileges. While availability is not directly affected, the breach of trust and potential data leakage can have severe reputational and operational consequences. Organizations relying on the Contact Us Simple Form plugin expose themselves to targeted attacks, especially if multiple administrators manage the site or if attackers can escalate privileges to administrator level. This vulnerability could be leveraged in multi-tenant hosting environments or managed WordPress services to pivot attacks. The medium CVSS score reflects the requirement for high privileges, limiting exploitation to insiders or attackers who have already compromised admin accounts. However, the persistent nature of stored XSS increases risk as injected scripts remain active until remediated. The lack of known exploits in the wild suggests limited current exploitation but also highlights the need for proactive mitigation before attackers develop weaponized payloads.

To mitigate CVE-2025-14028, organizations should immediately audit their WordPress installations for the presence of the Contact Us Simple Form plugin and verify the version in use. Since no official patches are currently available, administrators should consider the following specific steps: (1) Restrict administrator access strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce risk of privilege compromise. (2) Temporarily disable or uninstall the vulnerable plugin until a security update is released. (3) Implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns targeting the plugin's admin settings. (4) Conduct thorough input validation and output encoding on any custom code interacting with the plugin or its data. (5) Monitor logs for unusual administrator activity or unexpected changes in plugin settings. (6) Educate administrators about the risks of stored XSS and the importance of cautious input handling. (7) Once a patch is released, promptly apply updates and verify remediation through testing. (8) Consider isolating administrative interfaces or limiting access by IP to reduce exposure. These targeted actions go beyond generic advice and address the specific threat vectors and exploitation requirements of this vulnerability.