CVE-2025-14119 is a stored cross-site scripting (XSS) vulnerability identified in the App Landing Template Blocks for WPBakery (Visual Composer) Page Builder plugin for WordPress. This vulnerability exists due to improper neutralization of input during web page generation, specifically within the 'atvc_video_play' shortcode. The plugin fails to adequately sanitize and escape user-supplied attributes, allowing an authenticated attacker with contributor-level or higher permissions to inject arbitrary JavaScript code into pages. When other users access these pages, the malicious scripts execute in their browsers, potentially compromising session tokens, redirecting users, or performing unauthorized actions on their behalf. The vulnerability affects all versions up to and including 2.0.2 of the plugin. The CVSS v3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges (PR:L), no user interaction, and a scope change. No public exploits have been reported yet. The vulnerability is classified under CWE-79, indicating improper input neutralization leading to cross-site scripting. The flaw is significant because it leverages contributor-level access, which is commonly granted in WordPress environments, thus broadening the potential attacker base. The vulnerability's exploitation could impact the confidentiality and integrity of user sessions and data without affecting availability. The plugin is widely used in WordPress sites employing WPBakery Page Builder, a popular page construction tool, increasing the potential attack surface.

The impact of CVE-2025-14119 is primarily on the confidentiality and integrity of affected WordPress sites. Successful exploitation allows an attacker with contributor-level access to inject persistent malicious scripts that execute in the context of any user viewing the infected page. This can lead to session hijacking, theft of sensitive information, unauthorized actions such as content manipulation or privilege escalation attempts, and distribution of malware. Since contributor-level access is often granted to less trusted users, the risk of insider threats or compromised accounts is elevated. The vulnerability does not affect availability directly but can undermine user trust and site integrity. Organizations relying on the affected plugin for marketing or landing pages may face reputational damage, data breaches, and compliance issues if exploited. The widespread use of WPBakery Page Builder and its templates means many small to medium businesses and content creators worldwide could be exposed, especially those not regularly updating plugins or enforcing strict user role management.

To mitigate CVE-2025-14119, organizations should immediately update the App Landing Template Blocks for WPBakery Page Builder plugin to a patched version once available. Until a patch is released, disable or remove the 'atvc_video_play' shortcode functionality to prevent exploitation. Review and restrict contributor-level permissions to trusted users only, minimizing the risk of malicious input injection. Implement a web application firewall (WAF) with rules to detect and block common XSS payloads targeting this shortcode. Conduct regular security audits and scanning of WordPress sites to identify injected scripts or suspicious content. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Educate site administrators and content contributors on secure content practices and the risks of XSS. Monitor logs for unusual activity related to page edits or shortcode usage. Finally, maintain a robust backup and incident response plan to recover quickly if exploitation occurs.