CVE-2025-14144 is a stored cross-site scripting vulnerability identified in the Mstoic Shortcodes plugin for WordPress, specifically affecting the ms_youtube_embeds shortcode's 'start' parameter. The vulnerability stems from insufficient sanitization and escaping of user-supplied input, allowing authenticated users with Contributor-level or higher privileges to inject arbitrary JavaScript code into pages. When other users access these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. The vulnerability affects all versions up to and including 2.0 of the plugin. The CVSS 3.1 base score is 6.4, reflecting a medium severity level, with attack vector being network-based, low attack complexity, requiring privileges (PR:L), no user interaction, and scope changed due to impact on other users. The vulnerability impacts confidentiality and integrity but not availability. No public exploits have been reported yet, and no patches are currently linked, indicating a need for vigilance and proactive mitigation. The flaw is categorized under CWE-79, which covers improper neutralization of input during web page generation, a common vector for XSS attacks. Given WordPress's widespread use in Europe, this vulnerability poses a tangible risk to websites using the Mstoic Shortcodes plugin, particularly those with multiple contributors who can inject content.

For European organizations, this vulnerability can lead to unauthorized script execution within the context of affected WordPress sites, compromising user sessions, stealing sensitive data, or performing unauthorized actions. Organizations relying on WordPress for content management and collaboration, especially those allowing multiple contributors, face increased risk. The attack requires contributor-level access, so insider threats or compromised contributor accounts are primary vectors. The impact is primarily on confidentiality and integrity, as attackers can hijack sessions or manipulate content, potentially damaging reputation and trust. Although availability is not directly affected, successful exploitation could lead to indirect service disruptions or loss of user confidence. Given the absence of known exploits, the immediate risk is moderate but could escalate if exploit code becomes public. European entities with customer-facing websites or intranets using this plugin should consider the risk significant enough to warrant prompt action.

1. Immediately audit WordPress sites for the presence of the Mstoic Shortcodes plugin and identify versions in use. 2. Restrict Contributor-level permissions to trusted users only, minimizing the risk of malicious content injection. 3. Implement strict content review and approval workflows for user-generated content that uses shortcodes, particularly ms_youtube_embeds. 4. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious shortcode parameters or script injections. 5. Monitor logs and user activity for unusual shortcode usage or content changes indicative of exploitation attempts. 6. Once available, promptly apply official patches or updates from the plugin vendor to remediate the vulnerability. 7. Consider disabling or replacing the vulnerable shortcode functionality if immediate patching is not possible. 8. Educate content contributors about secure content practices and the risks of injecting untrusted code. 9. Use security plugins that provide XSS protection and input sanitization enhancements for WordPress. 10. Regularly back up website data to enable recovery in case of compromise.