CVE-2025-14053 is a stored cross-site scripting (XSS) vulnerability identified in the 'Travel Bucket List – Wish To Go' WordPress plugin developed by jseto. This vulnerability affects all versions up to and including 0.5.2. The root cause is insufficient input sanitization and output escaping of user-supplied shortcode attributes within the plugin. Specifically, authenticated users with Contributor-level privileges or higher can inject arbitrary JavaScript code into pages via these shortcode attributes. Because the malicious script is stored persistently in the website's content, it executes every time a user accesses the infected page. The vulnerability leverages CWE-79, which concerns improper neutralization of input during web page generation. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) indicates that the attack can be performed remotely over the network with low attack complexity, requires privileges (Contributor or above), no user interaction, and impacts confidentiality and integrity with a scope change, but does not affect availability. This means an attacker can steal sensitive information like cookies or tokens, manipulate page content, or perform actions on behalf of other users. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date (January 7, 2026).

The impact of this vulnerability is significant for organizations running WordPress sites with the affected plugin installed. Since the vulnerability allows stored XSS, attackers can execute persistent malicious scripts that compromise user sessions, steal credentials, or perform unauthorized actions within the context of the victim's browser. This can lead to data breaches, defacement, or further compromise of the website and its users. The requirement for Contributor-level access limits exploitation to insiders or registered users with elevated privileges, but many WordPress sites allow user registrations or have multiple contributors, increasing risk. The scope change in the CVSS vector indicates that the vulnerability can affect resources beyond the initially compromised component, potentially impacting other users and site administrators. Although availability is not affected, the confidentiality and integrity of user data and site content are at risk. The absence of known exploits in the wild suggests that immediate widespread attacks may not be occurring, but the vulnerability remains a critical risk if left unaddressed.

To mitigate CVE-2025-14053, organizations should first check for updates or patches from the plugin vendor jseto and apply them promptly once available. In the absence of an official patch, administrators should consider temporarily disabling the 'Travel Bucket List – Wish To Go' plugin to prevent exploitation. Restricting user roles and permissions is critical; ensure that only trusted users have Contributor-level or higher access, and review user accounts for suspicious activity. Implement web application firewalls (WAFs) with rules designed to detect and block XSS payloads, particularly those targeting shortcode attributes. Conduct thorough input validation and output encoding on all user-supplied data within the site, especially if custom modifications or overrides of the plugin exist. Regularly audit site content for injected scripts or suspicious shortcode usage. Educate content contributors about safe content practices and the risks of injecting untrusted code. Finally, monitor logs and user activity for signs of exploitation attempts or unusual behavior.