CVE-2025-14142 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79 affecting the Electric Enquiries plugin for WordPress. The vulnerability exists due to insufficient sanitization and escaping of the 'button' parameter within the electric-enquiry shortcode, allowing malicious scripts to be stored persistently in pages. This flaw affects all versions up to and including 1.1 of the plugin. An attacker with authenticated Contributor-level access or higher can exploit this vulnerability by injecting arbitrary JavaScript code into the 'button' parameter. When any user accesses the compromised page, the injected script executes in their browser context, potentially leading to session hijacking, privilege escalation, or unauthorized actions on behalf of the victim. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, requiring privileges but no user interaction, and a scope change due to affecting other users. No patches or official fixes have been published yet, and no known exploits are currently in the wild. The vulnerability highlights the risks of insufficient input validation in WordPress plugins, especially those that allow content injection by authenticated users. Mitigations must focus on input validation, output encoding, and restricting permissions to trusted users.

The primary impact of CVE-2025-14142 is the compromise of confidentiality and integrity within affected WordPress sites using the Electric Enquiries plugin. Attackers with Contributor-level access can inject malicious scripts that execute in the browsers of site visitors or administrators, potentially stealing session cookies, performing actions on behalf of users, or defacing content. This can lead to account takeover, data leakage, or unauthorized modifications. Although availability is not directly impacted, the reputational damage and potential for further exploitation can disrupt normal operations. Organizations relying on this plugin, especially those with multiple contributors or public-facing content, face increased risk of targeted attacks. The vulnerability's exploitation requires authenticated access, limiting exposure to internal or trusted users, but insider threats or compromised accounts can still leverage this flaw. The lack of patches increases the window of exposure, and the widespread use of WordPress globally means many organizations could be affected if they use this plugin.

1. Immediately restrict Contributor-level and higher permissions to trusted users only, minimizing the risk of malicious script injection. 2. Disable or remove the Electric Enquiries plugin until a security patch or update is released by the vendor. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns targeting the 'button' parameter in the electric-enquiry shortcode. 4. Conduct manual code reviews or use security scanners to identify and sanitize all user inputs in the plugin, focusing on proper escaping and validation. 5. Educate site administrators and contributors about the risks of injecting untrusted content and enforce strict content policies. 6. Monitor site logs and user activities for unusual behavior indicative of exploitation attempts. 7. Once a patch is available, apply it promptly and verify that input sanitization and output encoding are correctly implemented. 8. Consider deploying Content Security Policy (CSP) headers to reduce the impact of any injected scripts by restricting script execution sources.