CVE-2025-14554 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the Sell BTC – Cryptocurrency Selling Calculator plugin for WordPress developed by hayyatapps. This vulnerability affects all plugin versions up to and including 1.5, due to insufficient sanitization and escaping of user-supplied input in the 'orderform_data' AJAX action. An unauthenticated attacker can exploit this flaw by injecting arbitrary JavaScript code into order records. When an administrator accesses the Orders page within the WordPress admin dashboard, the malicious script executes in their browser context. This can lead to session hijacking, credential theft, or further administrative control compromise. The vulnerability has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N), indicating it is remotely exploitable over the network without authentication or user interaction, with a scope change affecting confidentiality and integrity. Although version 1.5 includes a partial fix, no complete patch has been released, leaving many installations vulnerable. The lack of known exploits in the wild currently reduces immediate risk but does not diminish the potential impact. This vulnerability is particularly critical for organizations relying on this plugin for cryptocurrency transaction calculations, as compromise could lead to financial fraud or administrative takeover.

The impact of CVE-2025-14554 is significant for organizations using the Sell BTC plugin, especially those involved in cryptocurrency transactions. Successful exploitation allows attackers to execute arbitrary scripts in the context of an administrator’s browser, potentially leading to theft of admin credentials, session tokens, or the injection of further malicious payloads. This can result in unauthorized access to the WordPress admin dashboard, enabling attackers to manipulate site content, alter transaction data, or deploy persistent backdoors. The confidentiality and integrity of sensitive financial and user data are at risk, which could lead to financial losses, reputational damage, and regulatory consequences. Since the vulnerability does not affect availability, denial-of-service is less of a concern, but the scope change (affecting admin privileges) amplifies the severity. Organizations with high-value cryptocurrency operations or those with large WordPress admin teams are particularly vulnerable. The ease of exploitation without authentication or user interaction increases the likelihood of attacks, especially if attackers discover automated methods to inject malicious payloads.

To mitigate CVE-2025-14554, organizations should immediately update the Sell BTC plugin to the latest version once a full patch is released by hayyatapps. Until then, consider disabling or removing the plugin if it is not critical to operations. Implement Web Application Firewall (WAF) rules to detect and block suspicious AJAX requests targeting the 'orderform_data' action. Restrict access to the WordPress admin dashboard by IP whitelisting or VPN to reduce exposure to unauthenticated attackers. Enable Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in the admin interface. Regularly audit order records for suspicious content and sanitize existing data to remove injected scripts. Educate administrators to avoid clicking unknown links or executing untrusted scripts within the admin environment. Monitor logs for unusual AJAX activity and failed sanitization attempts. Finally, maintain regular backups of the WordPress site and database to enable recovery in case of compromise.