CVE-2025-14121 is a stored Cross-Site Scripting (XSS) vulnerability identified in the EDD Download Info plugin for WordPress, affecting all versions up to and including 1.1. The vulnerability arises from improper neutralization of input during web page generation (CWE-79), specifically due to insufficient sanitization and escaping of user-supplied attributes in the 'edd_download_info_link' shortcode. Authenticated attackers with contributor-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into pages or posts that utilize this shortcode. Because the malicious script is stored persistently, it executes in the browsers of any users who view the compromised page, potentially leading to session hijacking, privilege escalation, or other malicious actions. The vulnerability has a CVSS 3.1 base score of 6.4, indicating medium severity, with an attack vector of network, low attack complexity, requiring privileges (PR:L), no user interaction, and a scope change (S:C). The impact affects confidentiality and integrity but not availability. No patches or official fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability is particularly concerning for WordPress sites that allow contributors to add or edit content and use this plugin to display download information, often in e-commerce or digital distribution contexts.

For European organizations, this vulnerability poses a risk to the confidentiality and integrity of user data on WordPress sites using the EDD Download Info plugin. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of site visitors, potentially leading to session hijacking, theft of sensitive information, or unauthorized actions performed on behalf of users. This can damage organizational reputation, lead to data breaches, and violate data protection regulations such as GDPR. E-commerce sites and digital content distributors are especially vulnerable, as attackers could manipulate download links or user interactions. The medium severity score reflects the need for authenticated access, limiting the attack surface to insiders or compromised accounts, but the scope change indicates that the vulnerability can affect multiple users beyond the attacker. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits over time.

1. Immediately restrict contributor-level privileges to trusted users only and review existing contributor accounts for suspicious activity. 2. Monitor and audit content changes involving the 'edd_download_info_link' shortcode to detect unauthorized script injections. 3. Implement additional input validation and output encoding at the application or web server level to sanitize user-supplied attributes before rendering. 4. Employ Web Application Firewalls (WAFs) with rules targeting common XSS payloads to block malicious requests. 5. Regularly update the EDD Download Info plugin and WordPress core to the latest versions once patches addressing this vulnerability are released. 6. Educate content contributors about the risks of injecting untrusted code and enforce strict content policies. 7. Consider disabling or replacing the vulnerable plugin with alternatives that follow secure coding practices if immediate patching is not possible. 8. Use Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of XSS attacks.