CVE-2025-14122 is a stored cross-site scripting (XSS) vulnerability identified in the AD Sliding FAQ plugin for WordPress, affecting all versions up to and including 2.4. The vulnerability stems from improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of user-supplied attributes within the 'sliding_faq' shortcode. This flaw allows authenticated attackers with contributor-level or higher privileges to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. The vulnerability is classified under CWE-79 and has a CVSS v3.1 base score of 6.4, indicating medium severity. The attack vector is network-based, requiring low attack complexity and privileges of a contributor or higher, but no user interaction is needed for exploitation. The vulnerability affects the confidentiality and integrity of affected sites but does not impact availability. No patches are currently linked, and no known exploits have been reported in the wild. The vulnerability is significant because WordPress powers a large portion of the web, and plugins like AD Sliding FAQ are commonly used to enhance site functionality. Attackers exploiting this vulnerability could compromise site visitors and administrators, leading to broader security breaches.

The impact of CVE-2025-14122 is primarily on the confidentiality and integrity of WordPress sites using the AD Sliding FAQ plugin. Successful exploitation allows attackers to execute arbitrary JavaScript in the context of the affected site, potentially stealing cookies, session tokens, or other sensitive information from users. This can lead to account takeover, unauthorized actions, or distribution of malware. Since the vulnerability requires contributor-level access, it assumes some level of trust, but many WordPress sites allow multiple contributors, increasing risk. The vulnerability does not affect availability directly but can lead to reputational damage and loss of user trust. Organizations relying on WordPress for content management, especially those with multiple contributors, are at risk of targeted attacks that exploit this flaw to escalate privileges or compromise user data. The absence of known exploits in the wild suggests limited current exploitation, but the medium severity score and ease of exploitation warrant prompt attention. The vulnerability could be leveraged in phishing campaigns or combined with other vulnerabilities to increase impact.

To mitigate CVE-2025-14122, organizations should first monitor for and apply any official patches or updates released by the anybodesign vendor for the AD Sliding FAQ plugin. Until patches are available, restrict contributor-level access to trusted users only and review user roles to minimize unnecessary privileges. Implement additional input validation and output encoding at the application level to sanitize user-supplied attributes in shortcodes. Employ Web Application Firewalls (WAFs) with rules designed to detect and block XSS payloads targeting WordPress plugins. Regularly audit installed plugins for vulnerabilities and remove or replace those no longer maintained or deemed insecure. Educate content contributors about the risks of injecting untrusted content and enforce strict content policies. Enable Content Security Policy (CSP) headers to reduce the impact of injected scripts by restricting script execution sources. Finally, maintain regular backups and incident response plans to quickly recover from potential compromises.