CVE-2025-14735 identifies a stored cross-site scripting (XSS) vulnerability classified under CWE-80 in the nestornoe Amazon affiliate lite plugin for WordPress. This vulnerability affects all versions up to and including 1.0.0. The root cause is insufficient sanitization and escaping of input in the plugin's admin settings, which allows an attacker with administrator-level privileges to inject arbitrary JavaScript code into pages served by the WordPress site. The vulnerability manifests only in multi-site WordPress installations or those where the unfiltered_html capability is disabled, limiting the scope of affected environments. When exploited, the injected scripts execute in the context of users accessing the compromised pages, potentially allowing session hijacking, defacement, or further privilege escalation. The attack vector requires network access (remote) and high privileges (administrator), with no user interaction needed once the malicious script is injected. The CVSS 3.1 base score is 4.4, reflecting a medium severity due to the requirement for authenticated high-level access and the limited confidentiality and integrity impact. No patches or known exploits are currently available, indicating the need for proactive mitigation by site administrators.

The primary impact of this vulnerability is the potential for stored XSS attacks that can compromise the confidentiality and integrity of user sessions and data. An attacker with administrator privileges can inject malicious scripts that execute in the browsers of users visiting affected pages, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of users. Although the vulnerability requires high privileges to exploit, the scope includes all users who access the injected content, which could include other administrators or privileged users, amplifying the risk. The vulnerability does not directly affect availability but could indirectly cause service disruption if exploited to deface sites or inject malware. Organizations running multi-site WordPress installations with this plugin are at particular risk, especially if they have disabled unfiltered_html, as this condition enables the vulnerability. The lack of known exploits in the wild suggests limited current exploitation but does not preclude future attacks, especially as the vulnerability becomes publicly known.

To mitigate this vulnerability, organizations should first verify if they are running the nestornoe Amazon affiliate lite plugin on multi-site WordPress installations or with unfiltered_html disabled. Immediate steps include restricting administrator access to trusted personnel only and auditing admin settings for suspicious content. Since no official patch is currently available, administrators should consider temporarily disabling or uninstalling the plugin until a fix is released. Implementing a Web Application Firewall (WAF) with rules to detect and block XSS payloads targeting the plugin's admin pages can provide additional protection. Site administrators should also enable strict Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Regularly monitoring logs for unusual admin activity and conducting security reviews of plugin configurations are recommended. Once a patch is released, prompt application is critical. Additionally, educating administrators about the risks of injecting untrusted content and maintaining least privilege principles will reduce exploitation likelihood.