CVE-2025-14121 is a stored Cross-Site Scripting (XSS) vulnerability identified in the EDD Download Info plugin for WordPress, developed by samikeijonen. This vulnerability affects all versions up to and including version 1.1. The root cause is insufficient sanitization and escaping of user-supplied input within the 'edd_download_info_link' shortcode, which is used to generate web pages dynamically. Authenticated attackers with contributor-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into pages or posts. When other users visit these compromised pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions performed on behalf of the victim. The vulnerability does not require user interaction beyond visiting the infected page and can be exploited remotely over the network. The CVSS v3.1 base score of 6.4 reflects a medium severity, with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacts on confidentiality and integrity but not availability. No public exploits have been reported yet, but the vulnerability poses a significant risk to websites using this plugin, especially those with multiple contributors. The lack of available patches at the time of publication necessitates immediate mitigation efforts by administrators.

The exploitation of CVE-2025-14121 can have several adverse effects on organizations running WordPress sites with the vulnerable EDD Download Info plugin. Attackers with contributor-level access can inject malicious scripts that execute in the context of any user viewing the infected page, potentially leading to session hijacking, theft of sensitive information, unauthorized actions, or defacement. This compromises the confidentiality and integrity of the affected websites and their users. Although availability is not directly impacted, the reputational damage and potential data breaches can have significant operational and financial consequences. Organizations with multiple contributors or open editorial workflows are at higher risk. The vulnerability can also be leveraged as a foothold for further attacks within the network or to distribute malware. Given the widespread use of WordPress globally, the threat can affect a broad range of sectors including e-commerce, media, education, and government websites.

To mitigate CVE-2025-14121, organizations should first check for and apply any official patches or updates from the plugin developer once available. Until a patch is released, administrators should consider disabling or removing the EDD Download Info plugin to eliminate the attack surface. Restrict contributor-level permissions and review user roles to minimize the number of users who can inject content. Implement Web Application Firewalls (WAFs) with custom rules to detect and block malicious payloads targeting the 'edd_download_info_link' shortcode. Conduct thorough input validation and output encoding on all user-generated content, especially shortcodes and attributes. Regularly audit website content for suspicious scripts or injected code. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. Educate content contributors about the risks of injecting untrusted code. Finally, monitor logs and user activity for signs of exploitation attempts.