CVE-2025-14114 is a stored cross-site scripting (XSS) vulnerability identified in the 1180px Shortcodes plugin for WordPress, maintained by chrisblackwell. The vulnerability exists due to improper neutralization of input during web page generation (CWE-79). Specifically, the 'class' attribute of the shortcode is not properly sanitized or escaped before output, allowing an authenticated attacker with Contributor-level or higher privileges to inject arbitrary JavaScript code. This malicious code is stored persistently in the WordPress database and executed in the context of any user who views the affected page, including administrators and other privileged users. The vulnerability affects all versions up to and including 1.1.1. The CVSS 3.1 base score is 6.4, reflecting a network attack vector (remote exploitation), low attack complexity, privileges required at the contributor level, no user interaction needed, and a scope change due to the potential impact on other users. The impact includes limited confidentiality and integrity loss but no availability impact. No patches or fixes are currently linked, and no known exploits are reported in the wild. The vulnerability highlights the risks of insufficient input validation in WordPress plugins, especially those that allow user-generated content or shortcode attributes to be stored and rendered dynamically.

The primary impact of this vulnerability is the potential for stored XSS attacks, which can lead to session hijacking, privilege escalation, defacement, or distribution of malware through the affected WordPress site. Since the vulnerability requires Contributor-level access, attackers must first compromise or have legitimate access to an account with such privileges, which is common in collaborative or multi-author WordPress environments. Once exploited, malicious scripts execute in the browsers of any users visiting the infected pages, potentially exposing sensitive information or allowing attackers to perform actions on behalf of victims. This can undermine user trust, damage brand reputation, and lead to regulatory compliance issues if personal data is compromised. The vulnerability does not directly affect availability but can indirectly cause service disruptions if exploited for defacement or malware distribution. Organizations relying on this plugin, especially those with multiple contributors or public-facing sites, face increased risk of targeted attacks or insider threats leveraging this flaw.

To mitigate this vulnerability, organizations should first check for updates or patches from the plugin vendor and apply them promptly once available. In the absence of an official patch, administrators should restrict Contributor-level access to trusted users only and audit existing contributors for suspicious activity. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious script injections targeting shortcode attributes can provide interim protection. Additionally, site administrators can manually sanitize and escape shortcode attributes by customizing the plugin code or using security plugins that enforce strict input validation. Regular security audits and monitoring of user-generated content for suspicious scripts are recommended. Disabling or removing the 1180px Shortcodes plugin entirely, if not critical, is a practical mitigation to eliminate the attack surface. Educating content contributors about safe input practices and monitoring logs for unusual behavior can further reduce exploitation risk.