CVE-2025-14506 identifies a stored Cross-Site Scripting (XSS) vulnerability in the ConvertForce Popup Builder plugin for WordPress, specifically in all versions up to and including 0.0.7. The vulnerability stems from improper neutralization of input during web page generation, classified under CWE-79. The affected component is the Gutenberg block's entrance_animation attribute, which lacks sufficient input sanitization and output escaping. This flaw allows authenticated attackers with Author-level access or higher to inject arbitrary JavaScript code into pages generated by the plugin. When other users access these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or data theft. The vulnerability has a CVSS v3.1 base score of 6.4, reflecting medium severity. The attack vector is network-based, requiring low attack complexity, and privileges at the Author level, but no user interaction is needed. The scope is changed, indicating that the vulnerability affects resources beyond the initially compromised component, impacting confidentiality and integrity but not availability. No patches or updates are currently linked, and no known exploits have been reported in the wild. The plugin is widely used in WordPress environments, which are common globally, making this a relevant threat for many organizations relying on WordPress for web content management.

The primary impact of this vulnerability is the potential compromise of user confidentiality and integrity within affected WordPress sites. Attackers with Author-level access can inject persistent malicious scripts that execute in the browsers of any user visiting the infected pages, including administrators or other privileged users. This can lead to session hijacking, unauthorized actions performed on behalf of users, theft of sensitive information such as cookies or credentials, and potential spread of malware. Although availability is not directly impacted, the breach of trust and data integrity can cause reputational damage and operational disruptions. Organizations with public-facing WordPress sites using the ConvertForce Popup Builder plugin are at risk, especially those with multiple users having Author or higher privileges. The medium CVSS score reflects that while exploitation requires some level of privilege, the consequences can be significant if leveraged effectively. The lack of known exploits in the wild suggests limited current active exploitation but does not preclude future attacks once the vulnerability becomes widely known.

Organizations should immediately audit their WordPress installations to identify the presence of the ConvertForce Popup Builder plugin, particularly versions up to 0.0.7. Since no official patches are currently linked, administrators should consider the following mitigations: restrict Author-level and higher privileges to trusted users only, minimizing the risk of malicious script injection; implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns related to the entrance_animation attribute; employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts; monitor logs for unusual activity or script injections; and consider temporarily disabling or removing the plugin until a secure update is released. Additionally, educating users with elevated privileges about the risks of injecting untrusted content can reduce exploitation likelihood. Once a patch is available, prompt application is critical. Regular backups and incident response plans should be in place to recover from potential compromises.