CVE-2025-14122 identifies a stored cross-site scripting (XSS) vulnerability in the AD Sliding FAQ plugin for WordPress, developed by anybodesign. The flaw exists in all versions up to and including 2.4, where the plugin fails to properly sanitize and escape user-supplied input passed through the 'sliding_faq' shortcode attributes. This improper neutralization of input (CWE-79) allows authenticated users with contributor-level or higher privileges to inject arbitrary JavaScript code into pages. Because the malicious script is stored persistently, it executes every time a user accesses the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability requires authentication but no user interaction to trigger once the malicious content is stored. The CVSS 3.1 base score is 6.4, reflecting network attack vector, low attack complexity, privileges required, no user interaction, and partial impact on confidentiality and integrity with no impact on availability. No public exploits have been reported yet, but the vulnerability poses a moderate risk to WordPress sites using this plugin, especially those with multiple contributors. The lack of patches at the time of reporting necessitates immediate mitigation steps to reduce risk.

For European organizations, this vulnerability can lead to unauthorized access to sensitive information, session hijacking, and potential privilege escalation within WordPress-managed websites. Organizations relying on the AD Sliding FAQ plugin for customer-facing or internal knowledge bases risk data leakage and reputational damage if attackers exploit this flaw. Since the attack requires contributor-level access, insider threats or compromised contributor accounts could be leveraged to inject malicious scripts. The persistent nature of stored XSS means that multiple users, including administrators and visitors, can be affected once the malicious payload is embedded. This can disrupt business operations, erode user trust, and potentially facilitate further attacks such as phishing or malware distribution. The impact is heightened in sectors with strict data protection regulations like GDPR, where data breaches can lead to significant fines and legal consequences.

European organizations should immediately audit WordPress sites for the presence of the AD Sliding FAQ plugin and restrict contributor-level access to trusted users only. Until an official patch is released, consider disabling or removing the plugin to eliminate exposure. Implement Web Application Firewalls (WAFs) with custom rules to detect and block suspicious shortcode inputs or script injections related to 'sliding_faq'. Employ Content Security Policy (CSP) headers to limit script execution sources, reducing the impact of injected scripts. Conduct regular security training for contributors to recognize phishing and social engineering attempts that could lead to account compromise. Monitor logs for unusual shortcode usage or content changes. Once a patch is available, prioritize its deployment and verify that input sanitization and output escaping are correctly implemented. Additionally, use security plugins that scan for XSS vulnerabilities and perform routine vulnerability assessments on WordPress environments.