CVE-2025-14379 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the Testimonials Creator plugin for WordPress version 1.6 developed by adoncreatives. The vulnerability arises from improper neutralization of input during web page generation, specifically due to insufficient input sanitization and output escaping in the plugin's admin settings interface. This flaw allows an authenticated attacker with administrator-level permissions or higher to inject arbitrary JavaScript code into pages managed by the plugin. The malicious script is stored persistently and executes whenever any user accesses the compromised page, potentially leading to session hijacking, credential theft, or further privilege escalation within the WordPress environment. Notably, this vulnerability only affects multi-site WordPress installations or those where the unfiltered_html capability has been disabled, limiting the scope of impact. The CVSS v3.1 score is 4.4 (medium severity), reflecting that exploitation requires high privileges (administrator), has a network attack vector, high attack complexity, no user interaction, and impacts confidentiality and integrity but not availability. No public exploits have been reported to date. The vulnerability was published on January 14, 2026, and is currently unpatched as no patch links are provided. The vulnerability's existence underscores the importance of secure coding practices in WordPress plugins, especially those handling administrative inputs that affect front-end content rendering.

For European organizations, the impact of CVE-2025-14379 can be significant in environments using WordPress multi-site installations with the Testimonials Creator plugin version 1.6. Successful exploitation could allow attackers with admin access to inject malicious scripts that compromise user sessions, steal sensitive data, or perform unauthorized actions within the WordPress admin or user context. This undermines the confidentiality and integrity of the affected websites, potentially damaging organizational reputation and leading to data breaches. Although availability is not directly impacted, the indirect consequences of compromised administrative control could disrupt operations. Organizations in sectors such as e-commerce, government, education, and media that rely heavily on WordPress multi-site setups are particularly vulnerable. Given the requirement for administrator privileges, the threat is more relevant in environments where admin credentials are weak, reused, or exposed. The lack of known exploits reduces immediate risk but does not eliminate the potential for targeted attacks, especially as threat actors often exploit such vulnerabilities once disclosed. The vulnerability also poses risks for European hosting providers and managed service providers offering WordPress multi-site hosting, as compromise could cascade to multiple client sites.

1. Immediately audit WordPress multi-site installations to identify use of the Testimonials Creator plugin version 1.6 and disable or remove the plugin if possible. 2. Restrict administrator-level access strictly to trusted personnel and enforce strong, unique passwords combined with multi-factor authentication (MFA) to reduce the risk of credential compromise. 3. Implement Web Application Firewalls (WAF) with custom rules to detect and block suspicious script injection attempts targeting the plugin's admin settings. 4. Monitor WordPress logs and admin activity for unusual changes or script injections in testimonial pages. 5. If patching is not yet available, consider applying manual input sanitization and output escaping in the plugin code or using security plugins that enforce content filtering. 6. Educate administrators about the risks of XSS and the importance of cautious input handling in admin interfaces. 7. Regularly back up WordPress sites and test restoration procedures to mitigate damage from potential compromises. 8. Coordinate with plugin developers or security vendors for updates or patches and apply them promptly once released.