CVE-2025-14121 is a stored Cross-Site Scripting (XSS) vulnerability identified in the EDD Download Info plugin for WordPress, developed by samikeijonen. This vulnerability exists in all versions up to and including 1.1 due to insufficient sanitization and escaping of user-supplied attributes within the 'edd_download_info_link' shortcode. Authenticated attackers with contributor-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into pages or posts via the shortcode. Because the malicious script is stored, it executes every time any user accesses the compromised page, potentially leading to session hijacking, data theft, or further exploitation of the victim's browser environment. The vulnerability requires authentication but no user interaction, and the attack surface includes any WordPress site using this plugin with contributors able to add or edit content. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and privileges required at the contributor level. The scope is changed because the vulnerability affects resources beyond the attacker’s privileges by impacting other users visiting the injected pages. No public exploits have been reported yet, but the vulnerability poses a significant risk to websites relying on this plugin for download information display. The lack of patches at the time of reporting necessitates immediate mitigation steps to reduce exposure.

For European organizations, the impact of this vulnerability can be significant, especially for those operating WordPress-based websites that utilize the EDD Download Info plugin for managing downloadable content. Exploitation can lead to unauthorized script execution in the context of site visitors or administrators, potentially resulting in session hijacking, credential theft, defacement, or distribution of malware. This can damage organizational reputation, lead to data breaches involving personal data protected under GDPR, and cause operational disruptions. E-commerce sites or content platforms with contributor roles assigned to multiple users are particularly at risk, as attackers can leverage these roles to inject malicious payloads. The medium severity rating indicates a moderate risk, but the potential for cross-site scripting to escalate into more severe attacks or pivot to internal networks should not be underestimated. Additionally, the vulnerability’s presence in a widely used CMS plugin increases the likelihood of targeted attacks against European organizations with significant online presence.

1. Immediately audit WordPress sites to identify installations of the EDD Download Info plugin and verify the version in use. 2. Restrict contributor-level permissions to trusted users only, minimizing the risk of malicious shortcode injection. 3. Until an official patch is released, implement manual input validation and output escaping for the 'edd_download_info_link' shortcode parameters by customizing the plugin or using security plugins that sanitize shortcode inputs. 4. Employ Web Application Firewalls (WAFs) with rules to detect and block common XSS payloads targeting this plugin’s shortcode. 5. Monitor site content for unexpected or suspicious shortcode usage, especially from contributors. 6. Educate content contributors about the risks of injecting untrusted code and enforce strict content review policies. 7. Once available, promptly apply official patches or updates from the plugin vendor. 8. Consider disabling or replacing the plugin with alternatives that follow secure coding practices if immediate patching is not feasible.