CVE-2025-14119 is a stored cross-site scripting vulnerability classified under CWE-79, found in the App Landing Template Blocks for WPBakery (Visual Composer) Page Builder plugin for WordPress. This vulnerability arises from insufficient sanitization and escaping of user-supplied input in the 'atvc_video_play' shortcode attribute, allowing authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages. Because the malicious script is stored persistently, it executes in the context of any user who views the infected page, potentially compromising session tokens, cookies, or enabling further attacks such as privilege escalation or defacement. The vulnerability affects all versions up to and including 2.0.2. Exploitation does not require user interaction but does require authentication with contributor or higher privileges, which are common in collaborative WordPress environments. The CVSS 3.1 base score is 6.4, reflecting medium severity with network attack vector, low attack complexity, and partial confidentiality and integrity impact but no availability impact. No public exploits have been reported yet, but the vulnerability's presence in a popular page builder plugin increases the risk of future exploitation. The lack of official patches at the time of disclosure necessitates immediate mitigation steps by administrators.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of their WordPress-based websites, particularly those using the WPBakery page builder with the affected plugin. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of site visitors and administrators, potentially leading to session hijacking, unauthorized actions, or defacement. This can damage organizational reputation, lead to data breaches, and disrupt business operations. The impact is heightened in environments with multiple content contributors or where contributor accounts are less strictly managed. Since WordPress powers a substantial portion of European websites, including government, educational, and commercial sites, the vulnerability could affect a broad range of sectors. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers often develop exploits rapidly after disclosure. The medium severity rating suggests moderate urgency in remediation to prevent exploitation.

1. Immediately audit and restrict contributor-level access to trusted users only, minimizing the number of accounts that can exploit this vulnerability. 2. Implement strict input validation and output escaping on all user-supplied content, especially for shortcodes like 'atvc_video_play', either via custom code or security plugins that enforce content sanitization. 3. Monitor WordPress sites for unusual script injections or unexpected content changes in pages using the affected plugin. 4. Disable or remove the App Landing Template Blocks for WPBakery plugin if not essential, or replace it with a secure alternative. 5. Keep WordPress core, themes, and plugins updated; apply official patches from the vendor as soon as they become available. 6. Employ Web Application Firewalls (WAFs) with rules to detect and block XSS payloads targeting this vulnerability. 7. Educate contributors about secure content practices and the risks of injecting untrusted code. 8. Regularly back up website data to enable recovery in case of compromise. These steps go beyond generic advice by focusing on access control, proactive monitoring, and immediate plugin management.