CVE-2025-14122 is a stored Cross-Site Scripting (XSS) vulnerability identified in the AD Sliding FAQ plugin for WordPress, developed by anybodesign. This vulnerability exists in all versions up to and including 2.4 due to insufficient sanitization and escaping of user-supplied attributes passed via the 'sliding_faq' shortcode. Specifically, authenticated users with contributor-level access or higher can inject arbitrary JavaScript code into pages or posts using this shortcode. Because the injected scripts are stored persistently, they execute in the context of any user who views the affected page, potentially compromising session tokens, cookies, or enabling further attacks such as privilege escalation or defacement. The vulnerability is classified under CWE-79, which pertains to improper neutralization of input during web page generation. The CVSS v3.1 base score is 6.4, reflecting a medium severity level, with an attack vector of network, low attack complexity, requiring privileges (PR:L), no user interaction, and a scope change. No public exploits have been reported yet. The vulnerability affects the confidentiality and integrity of user data but does not impact availability. The root cause is the plugin's failure to properly sanitize and encode inputs before rendering them in the webpage, allowing malicious scripts to be stored and executed. This issue is particularly concerning for WordPress sites that allow contributors to add or edit content, as it expands the attack surface beyond administrators. Since WordPress is widely used across Europe, and the AD Sliding FAQ plugin is a popular add-on for FAQ management, this vulnerability poses a tangible risk to many organizations. The lack of available patches at the time of publication necessitates immediate mitigation through access control and monitoring.

For European organizations, this vulnerability can lead to unauthorized disclosure of sensitive information, session hijacking, and potential privilege escalation within WordPress environments. Since contributors can inject scripts that execute in the browsers of site visitors or administrators, attackers might steal authentication cookies or perform actions on behalf of users with higher privileges. This can compromise the integrity of website content and user data, damage organizational reputation, and potentially facilitate further attacks such as phishing or malware distribution. The impact is heightened in sectors relying heavily on WordPress for public-facing or internal knowledge bases, such as government agencies, educational institutions, and SMEs. Although availability is not directly affected, the breach of confidentiality and integrity can disrupt business operations and trust. The medium severity rating suggests a significant but not critical threat, yet the ease of exploitation by authenticated users makes it a priority for organizations with multi-user WordPress setups. The absence of known exploits in the wild provides a window for proactive defense but should not lead to complacency.

1. Immediately restrict contributor-level access and review user roles to ensure only trusted users have content editing privileges. 2. Monitor and audit all content submissions involving the 'sliding_faq' shortcode for suspicious or unexpected script content. 3. Apply any available patches or updates from the plugin vendor as soon as they are released. 4. Implement Web Application Firewall (WAF) rules to detect and block malicious script injections targeting the shortcode parameters. 5. Use security plugins that enforce strict input validation and output encoding on user-generated content. 6. Educate content contributors about safe content practices and the risks of injecting untrusted code. 7. Consider temporarily disabling the AD Sliding FAQ plugin if immediate patching is not possible and the risk is high. 8. Regularly back up WordPress sites to enable quick restoration if compromise occurs. 9. Conduct penetration testing focused on XSS vulnerabilities in WordPress environments to identify similar issues. 10. Employ Content Security Policy (CSP) headers to limit the impact of any injected scripts.