CVE-2025-14721 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Responsive and Swipe Slider WordPress plugin developed by mansoormunib. The issue exists in all plugin versions up to and including 1.0.2 and stems from improper neutralization of input during web page generation, specifically within the rsSlider shortcode. The vulnerability is classified under CWE-79, indicating insufficient sanitization and output escaping of user-supplied attributes. Authenticated users with contributor-level or higher privileges can exploit this flaw by injecting arbitrary JavaScript code into pages using the vulnerable shortcode. When other users access these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, data theft, or unauthorized actions performed on behalf of the victim. The CVSS 3.1 base score is 5.5, with vector AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N, indicating network attack vector, low attack complexity, required high privileges, no user interaction, scope change, and limited confidentiality and integrity impact without availability impact. No public exploits have been reported yet, but the vulnerability poses a risk in environments where multiple users have contributor or higher access. The lack of patches at the time of publication necessitates immediate mitigation steps to reduce exposure.

The vulnerability allows authenticated contributors or higher to inject persistent malicious scripts into WordPress pages, which execute in the context of any user viewing those pages. This can lead to theft of sensitive information such as authentication cookies, enabling session hijacking, privilege escalation, or unauthorized actions performed by victims unknowingly. The scope change in the CVSS vector indicates that the vulnerability affects resources beyond the attacker's privileges, increasing risk. Although availability is not impacted, the confidentiality and integrity of user data and site content are at risk. Organizations with multiple contributors or editors are particularly vulnerable, as attackers can leverage legitimate access to implant scripts. This can damage organizational reputation, lead to data breaches, and facilitate further attacks such as phishing or malware distribution. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers often weaponize such vulnerabilities rapidly after disclosure.

1. Immediately restrict contributor-level and higher user privileges to trusted personnel only, minimizing the risk of malicious shortcode usage. 2. Monitor and audit all uses of the rsSlider shortcode in site content to detect suspicious or unauthorized script injections. 3. Implement Web Application Firewall (WAF) rules to detect and block common XSS payloads targeting the plugin's shortcode parameters. 4. Disable or remove the Responsive and Swipe Slider plugin if it is not essential, or replace it with a more secure alternative. 5. Apply any vendor-provided patches or updates as soon as they become available; maintain close communication with the plugin developer or community for updates. 6. Educate content contributors about safe input practices and the risks of injecting scripts. 7. Employ Content Security Policy (CSP) headers to restrict execution of unauthorized scripts in browsers. 8. Regularly back up website content and configurations to enable recovery in case of compromise.