CVE-2025-14144 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Mstoic Shortcodes plugin for WordPress, specifically within the ms_youtube_embeds shortcode's 'start' parameter. This vulnerability is due to insufficient sanitization and escaping of user-supplied input before it is embedded into web pages. Authenticated attackers with Contributor-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into the 'start' parameter, which is then stored persistently in the WordPress database. When any user accesses a page containing the injected shortcode, the malicious script executes in their browser context, potentially leading to session hijacking, privilege escalation, or redirection to malicious sites. The vulnerability affects all plugin versions up to and including 2.0. The CVSS 3.1 base score of 6.4 reflects a medium severity, with an attack vector of network, low attack complexity, requiring privileges (Contributor or above), no user interaction, and scope change due to impact on other components. No public exploits have been reported yet, but the vulnerability's nature makes it a significant risk for WordPress sites using this plugin, especially those allowing multiple contributors. The lack of available patches at the time of reporting necessitates immediate mitigation steps to reduce exposure.

The primary impact of this vulnerability is the compromise of confidentiality and integrity of users interacting with affected WordPress sites. Exploitation allows attackers to execute arbitrary scripts in the context of the victim's browser, which can lead to theft of authentication cookies, defacement of website content, or unauthorized actions performed on behalf of users. Since the vulnerability requires Contributor-level access, attackers who have already gained limited access can escalate their impact significantly. This can facilitate further attacks such as privilege escalation or lateral movement within the site administration. For organizations, this can result in reputational damage, loss of user trust, and potential data breaches. The vulnerability does not directly affect availability but can indirectly cause service disruption if exploited for defacement or malicious redirects. Given WordPress's widespread use globally, especially among small to medium enterprises and content creators, the threat surface is considerable.

To mitigate this vulnerability, organizations should first check for updates from the Mstoic Shortcodes plugin vendor and apply any available patches promptly. In the absence of official patches, administrators should consider disabling the ms_youtube_embeds shortcode or restricting its usage to trusted users only. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious script injections targeting the 'start' parameter can provide temporary protection. Additionally, reviewing and tightening user role permissions to limit Contributor-level access reduces the risk of exploitation. Site administrators should also audit existing content for injected scripts and remove any suspicious shortcode instances. Employing Content Security Policy (CSP) headers can help mitigate the impact of XSS by restricting script execution sources. Finally, educating users and administrators about the risks of XSS and safe plugin management practices is essential to prevent similar vulnerabilities.