CVE-2025-14554 identifies a Stored Cross-Site Scripting (XSS) vulnerability in the Sell BTC – Cryptocurrency Selling Calculator plugin for WordPress, developed by hayyatapps. The vulnerability exists in all versions up to and including 1.5 due to improper neutralization of input during web page generation, specifically in the 'orderform_data' AJAX action. Attackers can exploit this flaw by injecting arbitrary JavaScript code into order records without requiring authentication or user interaction. When an administrator accesses the Orders page within the WordPress admin dashboard, the malicious script executes in their browser context. This can lead to session hijacking, theft of administrative credentials, or further compromise of the WordPress site. The root cause is insufficient input sanitization and output escaping, which allows malicious payloads to persist in the database and be rendered unsafely. Although version 1.5 partially addresses the issue, earlier versions remain vulnerable. The vulnerability has a CVSS 3.1 score of 7.2 (high severity), reflecting its network attack vector, low attack complexity, no privileges or user interaction required, and impact on confidentiality and integrity with a scope change. No public exploits have been reported yet, but the risk is significant given the plugin’s use in cryptocurrency-related transactions, which are attractive targets for attackers. The vulnerability affects all installations of the plugin up to version 1.5, emphasizing the need for patching and additional protective measures.

For European organizations, especially those operating cryptocurrency-related websites or services using WordPress, this vulnerability poses a significant risk. Successful exploitation can lead to unauthorized access to administrative accounts, enabling attackers to manipulate order data, steal sensitive financial information, or deploy further malware. The compromise of administrative credentials can result in full site takeover, data breaches, and reputational damage. Given the financial nature of the plugin, attackers may also attempt to redirect transactions or manipulate cryptocurrency sales, causing direct financial loss. The vulnerability’s ability to be exploited remotely without authentication increases the attack surface. Organizations in Europe with strict data protection regulations such as GDPR face additional compliance risks if customer data is exposed. The threat is particularly relevant for small to medium enterprises and cryptocurrency exchanges or brokers using this plugin. The lack of known exploits in the wild currently provides a window for proactive mitigation, but the high severity score indicates urgent attention is required to prevent potential attacks.

1. Immediately update the Sell BTC – Cryptocurrency Selling Calculator plugin to the latest available version that addresses this vulnerability. If no fully patched version exists beyond 1.5, consider disabling or removing the plugin until a secure update is released. 2. Implement strict input validation and output encoding on all user-supplied data related to order forms, especially within the 'orderform_data' AJAX handler, to prevent injection of malicious scripts. 3. Restrict access to the WordPress admin dashboard and Orders page using IP whitelisting, VPNs, or multi-factor authentication to reduce exposure of administrative interfaces. 4. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the vulnerable AJAX action. 5. Regularly audit and monitor WordPress logs for unusual activity or unexpected script injections in order records. 6. Educate administrators about the risks of XSS and encourage cautious behavior when reviewing order data. 7. Backup WordPress sites and databases frequently to enable recovery in case of compromise. 8. Consider isolating cryptocurrency-related WordPress plugins on separate instances or containers to limit blast radius. These targeted measures go beyond generic advice and address the specific attack vector and context of this vulnerability.