The WP Js List Pages Shortcodes plugin for WordPress suffers from a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-14110. This vulnerability is due to improper neutralization of input during web page generation (CWE-79), specifically in the handling of the 'class' shortcode attribute. Versions up to and including 1.21 fail to adequately sanitize and escape user-supplied input, allowing authenticated users with Contributor-level permissions or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially compromising session tokens, redirecting users, or performing actions on their behalf. The vulnerability requires authentication but no additional user interaction, and it affects all versions of the plugin up to 1.21. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, privileges required, no user interaction, and a scope change. No patches or fixes are currently linked, and no known exploits have been observed in the wild. The vulnerability was reserved in December 2025 and published in January 2026 by Wordfence.

This vulnerability allows authenticated users with relatively low privileges (Contributor or higher) to execute arbitrary JavaScript in the context of the WordPress site. This can lead to theft of cookies or authentication tokens, enabling privilege escalation or account takeover. It can also facilitate defacement, phishing, or distribution of malware to site visitors. Since the injected scripts execute for all users viewing the affected pages, the impact extends beyond the initial attacker. For organizations relying on this plugin, especially those with multiple contributors or public-facing content, the risk includes reputational damage, data leakage, and potential compromise of user accounts. The medium CVSS score reflects a moderate but significant risk, particularly in environments where contributors are numerous or less trusted. The absence of known exploits suggests limited current active exploitation but does not diminish the urgency of remediation.

Organizations should immediately review user roles and permissions to restrict Contributor-level access to trusted users only. Until an official patch is released, consider disabling or removing the WP Js List Pages Shortcodes plugin to eliminate the attack surface. Implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns targeting the 'class' shortcode attribute. Conduct thorough audits of existing pages for injected scripts and remove any malicious content. Educate content contributors about safe input practices and monitor logs for unusual activity. Once a vendor patch is available, apply it promptly. Additionally, consider employing Content Security Policy (CSP) headers to limit the impact of potential XSS attacks by restricting script execution sources. Regularly update WordPress core and all plugins to minimize exposure to known vulnerabilities.