CVE-2025-14393 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Wpik WordPress Basic Ajax Form plugin, maintained by awanhrp. This vulnerability exists in all versions up to and including 1.0 due to insufficient sanitization and escaping of the 'dname' parameter during web page generation. Specifically, the plugin fails to properly neutralize input before embedding it into pages, allowing authenticated users with Contributor-level privileges or higher to inject arbitrary JavaScript code. Because this is a stored XSS, the malicious script is saved on the server and executed in the browsers of any users who visit the affected page, potentially compromising their sessions or enabling further attacks such as privilege escalation or data theft. The vulnerability requires authentication but no user interaction, and the scope is limited to sites using this specific plugin. The CVSS v3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and partial impact on confidentiality and integrity. No patches or known exploits are currently available, but the vulnerability is publicly disclosed and should be addressed promptly to avoid exploitation.

The primary impact of this vulnerability is the potential for attackers with Contributor-level access to inject malicious scripts that execute in the browsers of site visitors or administrators. This can lead to session hijacking, theft of sensitive information, unauthorized actions performed on behalf of users, and potential privilege escalation within the WordPress environment. Since the vulnerability affects all versions of the plugin up to 1.0, any site using this plugin is at risk. The exploitation could undermine trust in the affected websites, cause data breaches, and disrupt normal operations. Organizations relying on this plugin for form handling may face reputational damage and compliance issues if user data is compromised. Although no known exploits are reported in the wild, the ease of exploitation by authenticated users and the widespread use of WordPress increase the likelihood of targeted attacks, especially against sites with multiple contributors.

To mitigate this vulnerability, organizations should first check if an updated version of the Wpik WordPress Basic Ajax Form plugin is available that addresses the XSS issue and apply it immediately. If no patch is available, administrators should consider disabling or removing the plugin until a fix is released. Implement strict role-based access controls to limit Contributor-level permissions only to trusted users, reducing the risk of malicious script injection. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious input patterns targeting the 'dname' parameter. Additionally, enable Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected pages. Regularly audit user-generated content and monitor logs for unusual activity related to form submissions. Educate contributors about safe input practices and the risks of injecting untrusted content. Finally, maintain regular backups to enable quick recovery if an attack occurs.