CVE-2025-14110 is a stored Cross-Site Scripting (XSS) vulnerability identified in the WP Js List Pages Shortcodes plugin for WordPress, specifically affecting all versions up to and including 1.21. The vulnerability is due to improper neutralization of input during web page generation, categorized under CWE-79. The issue lies in the insufficient sanitization and output escaping of the 'class' attribute within the shortcode, which allows authenticated users with Contributor-level access or higher to inject arbitrary JavaScript code into pages. Because the malicious script is stored, it executes every time a user accesses the compromised page, potentially enabling attackers to hijack user sessions, steal cookies, perform actions on behalf of users, or conduct phishing attacks. The vulnerability requires authentication at the Contributor level, which means attackers must have some level of access to the WordPress backend but do not require higher privileges such as Administrator. No user interaction beyond visiting the infected page is necessary for exploitation. The CVSS v3.1 base score is 6.4 (medium severity), with vector AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N, indicating network attack vector, low attack complexity, privileges required, no user interaction, scope changed, and limited impact on confidentiality and integrity but no impact on availability. There are currently no known exploits in the wild, and no official patches have been linked yet. The vulnerability was reserved in December 2025 and published in January 2026. This vulnerability is significant for WordPress sites using this plugin, especially those with multiple contributors who can add or edit content, as it allows persistent script injection that can affect all users viewing the compromised pages.

For European organizations, this vulnerability poses a moderate risk primarily to websites using WordPress with the WP Js List Pages Shortcodes plugin installed. The impact includes potential compromise of user sessions, theft of sensitive information such as cookies or tokens, and unauthorized actions performed on behalf of users, which can lead to reputational damage, data breaches, and regulatory non-compliance under GDPR. Since exploitation requires Contributor-level access, insider threats or compromised contributor accounts are the main vectors. The stored nature of the XSS means that any visitor to the infected page is at risk, potentially affecting customers, employees, or partners accessing the site. Organizations with public-facing WordPress sites that allow multiple contributors or editors are particularly vulnerable. The scope of impact extends to confidentiality and integrity but does not affect availability. Given the widespread use of WordPress in Europe, especially in sectors like media, education, and e-commerce, the vulnerability could be leveraged for targeted attacks or broader campaigns. The lack of known exploits currently reduces immediate risk but does not eliminate the threat, especially as attackers often weaponize such vulnerabilities once disclosed.

European organizations should implement several specific mitigations beyond generic advice: 1) Immediately audit WordPress sites to identify installations of the WP Js List Pages Shortcodes plugin and determine the version in use. 2) Restrict Contributor-level permissions strictly, ensuring only trusted users have such access, and consider temporarily disabling or limiting shortcode usage for contributors until patched. 3) Employ Web Application Firewalls (WAFs) with custom rules to detect and block malicious script injections targeting shortcode attributes. 4) Monitor logs and content changes for suspicious shortcode attributes or unexpected script tags. 5) Educate contributors about safe content editing practices and the risks of injecting untrusted code. 6) Once an official patch or update is released by the plugin vendor, prioritize immediate application. 7) Consider replacing or disabling the vulnerable plugin if it is not essential to site functionality. 8) Implement Content Security Policy (CSP) headers to reduce the impact of XSS by restricting script execution sources. 9) Regularly back up website content to enable quick restoration if compromise is detected. These steps collectively reduce the attack surface and limit the potential damage from exploitation.