CVE-2025-14725 is a stored cross-site scripting vulnerability classified under CWE-79 found in the sablab Internal Link Builder plugin for WordPress. This vulnerability affects all versions up to and including 1.0 and arises from insufficient input sanitization and output escaping in the plugin's admin settings interface. Specifically, authenticated users with administrator-level permissions or higher can inject arbitrary JavaScript code into the plugin's settings. The malicious scripts are stored persistently and executed whenever any user accesses the affected pages, enabling potential attacks such as session hijacking, defacement, or privilege escalation. The vulnerability only manifests in multi-site WordPress installations or those where the unfiltered_html capability is disabled, limiting its scope. The CVSS v3.1 score is 4.4 (medium severity), reflecting the requirement for high privileges (PR:H), network attack vector (AV:N), high attack complexity (AC:H), no user interaction (UI:N), and partial impact on confidentiality and integrity (C:L/I:L). No public exploits have been reported, and no official patches are currently available. The vulnerability was reserved in December 2025 and published in January 2026. Given the nature of WordPress multi-site environments and the plugin's usage, this vulnerability poses a moderate risk to affected organizations, especially those with multiple administrators or users accessing shared sites.

The primary impact of this vulnerability is the potential execution of arbitrary JavaScript code within the context of affected WordPress sites. This can lead to session hijacking, theft of sensitive data, unauthorized actions performed on behalf of users, and possible privilege escalation if combined with other vulnerabilities. Since the vulnerability requires administrator-level access to inject the payload, the risk is somewhat mitigated by the need for high privileges; however, insider threats or compromised admin accounts could exploit this flaw. The multi-site installation requirement means that organizations running large WordPress networks are more vulnerable, potentially affecting multiple sites simultaneously. The lack of user interaction needed for exploitation increases the risk of automated or stealthy attacks once the malicious script is injected. Although availability is not impacted, the confidentiality and integrity of site data and user sessions are at risk. The absence of known exploits in the wild currently limits immediate widespread impact, but the vulnerability remains a concern for organizations relying on this plugin in multi-site environments.

Organizations should immediately audit their WordPress installations to identify the presence of the sablab Internal Link Builder plugin, especially in multi-site configurations. Restrict administrator-level access to trusted personnel only and enforce strong authentication mechanisms such as multi-factor authentication to reduce the risk of credential compromise. Disable or limit the use of the plugin if it is not essential. Monitor admin settings pages for suspicious changes or injected scripts. Employ web application firewalls (WAFs) with custom rules to detect and block malicious script injections targeting this plugin. Regularly review and sanitize all inputs and outputs related to plugin settings if custom modifications are made. Stay alert for official patches or updates from the vendor and apply them promptly once released. Consider implementing Content Security Policy (CSP) headers to limit the impact of injected scripts. Finally, educate administrators about the risks of stored XSS and the importance of secure plugin management.