CVE-2025-14721 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Responsive and Swipe Slider WordPress plugin developed by mansoormunib. The flaw exists in all versions up to and including 1.0.2, where the plugin fails to properly sanitize and escape user-supplied attributes passed through its rsSlider shortcode. This improper neutralization of input (CWE-79) allows an authenticated attacker with contributor-level privileges or higher to inject arbitrary JavaScript code into pages or posts. Because the injected scripts are stored persistently in the WordPress database, they execute in the context of any user who views the compromised page, potentially exposing session tokens, cookies, or enabling further malicious actions such as privilege escalation or defacement. The vulnerability requires authentication but no user interaction beyond viewing the page. The CVSS v3.1 base score is 5.5 (medium severity), reflecting network attack vector, low attack complexity, high privileges required, no user interaction, and partial confidentiality and integrity impact. No official patches or updates have been published yet, and no known exploits are reported in the wild. The vulnerability highlights the risks of insufficient input validation in WordPress plugins, especially those that allow shortcode attributes to be user-controlled. Organizations relying on this plugin should monitor for updates and consider immediate mitigations.

For European organizations, this vulnerability poses a moderate risk primarily to websites using the Responsive and Swipe Slider plugin on WordPress. Exploitation could lead to unauthorized script execution in users' browsers, resulting in session hijacking, defacement, or distribution of malware. This can damage organizational reputation, lead to data leakage, and potentially facilitate further attacks within the network if administrative accounts are compromised. Since contributor-level access is required, the threat is heightened in environments with multiple content editors or where account credentials may be weak or reused. The impact is particularly significant for organizations with public-facing websites that handle sensitive user data or provide critical services. Additionally, regulatory frameworks such as GDPR impose strict requirements on protecting user data, and exploitation of this vulnerability could lead to compliance violations and financial penalties. The absence of known exploits reduces immediate risk but should not lead to complacency.

1. Immediately restrict contributor-level access to trusted personnel only and review existing user privileges to minimize potential attackers. 2. Monitor WordPress sites for unusual shortcode usage or unexpected script injections in page content. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious shortcode attribute patterns or script tags. 4. Disable or remove the Responsive and Swipe Slider plugin if it is not essential until a patched version is released. 5. Encourage plugin developers or community to release a security update that properly sanitizes and escapes all user inputs in the rsSlider shortcode. 6. Educate content editors about the risks of inserting untrusted content and enforce strong authentication mechanisms (e.g., MFA) for all WordPress accounts. 7. Regularly back up website data to enable quick restoration if compromise occurs. 8. Conduct security audits and vulnerability scans focusing on WordPress plugins and shortcode usage.