CVE-2025-14145 is a stored Cross-Site Scripting (XSS) vulnerability identified in the WordPress plugin 'Niche Hero | Beautifully-designed blocks in seconds' developed by djrowling. The vulnerability exists in all versions up to and including 1.0.5. It stems from improper neutralization of input during web page generation, specifically due to insufficient sanitization and escaping of the 'spacing' parameter within the nh_row shortcode. Authenticated users with Contributor-level privileges or higher can exploit this flaw by injecting arbitrary JavaScript code into pages. When other users access these compromised pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions on behalf of the victim. The vulnerability does not require user interaction beyond visiting the affected page, and the attacker only needs low privileges (Contributor or above) to exploit it. The CVSS v3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and privileges required. The scope is changed, indicating that the vulnerability affects resources beyond the attacker’s privileges. No public exploits have been reported yet, but the risk remains significant due to the common use of WordPress and the plugin. The lack of a patch link suggests that a fix may not yet be available, emphasizing the need for immediate mitigation steps.

The impact of this vulnerability is primarily on the confidentiality and integrity of affected WordPress sites. An attacker with Contributor-level access can inject malicious scripts that execute in the context of other users’ browsers, potentially stealing session cookies, redirecting users to malicious sites, or performing actions on behalf of users with higher privileges. This can lead to account compromise, data leakage, defacement, or further exploitation within the site. Since the vulnerability is stored, the malicious payload persists and affects all users who visit the infected page, increasing the attack surface. The availability impact is minimal as the vulnerability does not directly cause denial of service. Organizations running websites with this plugin, especially those allowing Contributor-level users to add content, face risks of reputational damage, loss of user trust, and potential regulatory consequences if user data is compromised. The medium CVSS score reflects a moderate but actionable threat that should be addressed promptly to prevent exploitation.

1. Immediately restrict Contributor-level and higher user permissions to trusted individuals until a patch is available. 2. Implement strict input validation and output encoding for the 'spacing' parameter in the nh_row shortcode, either via custom code or security plugins that enforce sanitization. 3. Monitor all user-generated content for suspicious scripts or unexpected HTML tags, using automated scanning tools or manual review. 4. Disable or remove the Niche Hero plugin if it is not essential to reduce the attack surface. 5. Keep WordPress core, themes, and plugins updated regularly and subscribe to vendor security advisories for timely patch releases. 6. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on the website. 7. Use Web Application Firewalls (WAFs) that can detect and block XSS payloads targeting this plugin. 8. Educate content contributors about safe content practices and the risks of injecting untrusted code. 9. Once a patch is released, apply it immediately and verify the remediation by testing the affected shortcode parameters.