CVE-2025-14119 is a stored cross-site scripting vulnerability identified in the App Landing Template Blocks for WPBakery (Visual Composer) Page Builder plugin for WordPress. The flaw exists due to improper neutralization of input during web page generation, specifically in the 'atvc_video_play' shortcode. This shortcode fails to adequately sanitize and escape user-supplied attributes, allowing authenticated users with contributor-level or higher privileges to inject arbitrary JavaScript code into pages. When other users access these pages, the malicious scripts execute in their browsers, potentially compromising session tokens, redirecting users, or performing unauthorized actions on behalf of the victim. The vulnerability affects all plugin versions up to and including 2.0.2. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) indicates network attack vector, low attack complexity, requires privileges but no user interaction, and impacts confidentiality and integrity with a scope change. Although no public exploits are known, the vulnerability poses a significant risk due to the common use of WPBakery and the plugin in WordPress sites. The vulnerability is classified under CWE-79, emphasizing the failure to properly sanitize inputs before embedding them in HTML output. The lack of a patch at the time of reporting necessitates immediate attention from site administrators to prevent exploitation.

For European organizations, this vulnerability can lead to unauthorized script execution within trusted websites, resulting in session hijacking, credential theft, defacement, or distribution of malware. Organizations relying on WordPress sites with the affected plugin are at risk of reputational damage and potential data breaches. Since contributor-level users can exploit this flaw, insider threats or compromised low-privilege accounts can escalate attacks. The scope change in the CVSS vector implies that the vulnerability can affect resources beyond the initially compromised component, potentially impacting other parts of the website or connected systems. Given the widespread use of WordPress and WPBakery in Europe, especially among SMEs and digital agencies, the threat could disrupt business operations and customer trust. Additionally, compliance with GDPR may be impacted if personal data confidentiality is compromised through such attacks.

1. Monitor the vendor's announcements closely and apply official patches immediately once released. 2. Until a patch is available, restrict contributor-level access to trusted users only and review user roles to minimize privilege exposure. 3. Implement Web Application Firewall (WAF) rules to detect and block malicious payloads targeting the 'atvc_video_play' shortcode parameters. 4. Conduct manual code reviews or apply custom input sanitization and output escaping for the shortcode attributes if feasible. 5. Regularly audit WordPress plugins and remove unused or outdated components to reduce attack surface. 6. Educate content contributors on safe input practices and monitor for unusual page content changes. 7. Employ Content Security Policy (CSP) headers to limit the impact of injected scripts. 8. Maintain comprehensive logging and alerting to detect suspicious activities related to page content modifications.