CVE-2025-14144 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Mstoic Shortcodes plugin for WordPress, specifically within the ms_youtube_embeds shortcode's 'start' parameter. The vulnerability exists due to insufficient sanitization and escaping of user-supplied input before it is embedded in web pages. This flaw allows authenticated attackers with at least Contributor-level privileges to inject arbitrary JavaScript code into WordPress pages. When other users access these compromised pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or redirection to malicious sites. The vulnerability affects all versions up to and including 2.0 of the plugin. The CVSS 3.1 base score is 6.4, reflecting a medium severity level, with an attack vector of network, low attack complexity, requiring privileges, no user interaction, and a scope change. The impact primarily concerns confidentiality and integrity, with no direct availability impact. No patches were linked at the time of publication, and no known exploits in the wild have been reported. The vulnerability was reserved in December 2025 and published in January 2026 by Wordfence. This vulnerability is categorized under CWE-79, which relates to improper neutralization of input during web page generation, a common vector for XSS attacks in web applications.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of web applications running WordPress with the Mstoic Shortcodes plugin. Attackers with Contributor-level access can inject malicious scripts that execute in the browsers of other users, potentially leading to session hijacking, theft of sensitive data, or unauthorized actions performed on behalf of legitimate users. This can undermine trust in corporate websites, damage brand reputation, and lead to compliance issues under regulations such as GDPR if personal data is compromised. Since the vulnerability requires authenticated access, organizations with multiple content contributors or editors are at higher risk. The lack of availability impact means service disruption is unlikely, but the stealthy nature of stored XSS can facilitate persistent attacks and lateral movement within web environments. The absence of known exploits currently provides a window for proactive mitigation before widespread exploitation occurs.

1. Monitor the Mstoic Shortcodes plugin repository and vendor announcements closely for official patches and apply them immediately upon release. 2. Until a patch is available, restrict Contributor-level and higher privileges to trusted users only, minimizing the risk of malicious input. 3. Implement Web Application Firewall (WAF) rules that detect and block suspicious script tags or JavaScript event handlers in shortcode parameters, particularly the 'start' parameter. 4. Employ Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of injected scripts. 5. Conduct regular security audits and code reviews of custom shortcodes or plugins to ensure proper input validation and output encoding. 6. Educate content contributors about the risks of injecting untrusted content and enforce strict content submission guidelines. 7. Consider disabling or replacing the Mstoic Shortcodes plugin if it is not essential to reduce attack surface. 8. Use security plugins that scan for XSS payloads and alert administrators to suspicious content injections.