CVE-2025-14745 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79 found in the WordPress plugin 'RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging' by rebelcode. The vulnerability arises from improper neutralization of user-supplied input within the plugin's 'wp-rss-aggregator' shortcode, which fails to adequately sanitize and escape attributes before rendering them on web pages. This flaw allows authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code that is persistently stored and executed in the context of any user who views the affected page. The attack vector requires no user interaction beyond page access but does require authenticated access with relatively low privileges, making it a significant risk in multi-user WordPress environments. The CVSS 3.1 base score is 6.4, reflecting network attack vector, low attack complexity, privileges required at the contributor level, no user interaction, and partial impact on confidentiality and integrity, with no impact on availability. The vulnerability affects all versions up to and including 5.0.10 of the plugin. Currently, there are no known exploits in the wild and no official patches publicly available, increasing the urgency for organizations to implement interim mitigations. The vulnerability could be exploited to steal session cookies, deface websites, or conduct further attacks such as phishing or privilege escalation within the WordPress environment.

For European organizations, this vulnerability poses a moderate risk primarily to websites running WordPress with the affected RSS Aggregator plugin installed. Since contributor-level users can exploit this flaw, organizations with multiple content creators or editors are particularly vulnerable. Exploitation could lead to unauthorized disclosure of sensitive information such as session tokens or personal data, potentially violating GDPR requirements. The integrity of web content could be compromised, damaging brand reputation and user trust. Although availability is not directly impacted, the injected scripts could facilitate further attacks that degrade service or lead to broader compromise. Organizations in sectors with high regulatory scrutiny, such as finance, healthcare, and government, may face increased compliance and legal risks if exploited. The lack of known exploits in the wild provides a window for proactive defense, but the widespread use of WordPress and this plugin in Europe means the attack surface is significant.

1. Immediately audit WordPress sites to identify installations of the 'RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging' plugin and verify the version in use. 2. Restrict contributor-level access to trusted users only and review user roles to minimize the number of users with permissions to inject content via shortcodes. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious shortcode attribute patterns that may contain script tags or JavaScript payloads. 4. Employ custom input validation and output escaping for shortcode attributes by modifying plugin code or using WordPress hooks to sanitize inputs until an official patch is released. 5. Monitor logs and website content for unusual changes or injected scripts, especially on pages using the vulnerable shortcode. 6. Educate content contributors about the risks of injecting untrusted content and enforce strict content policies. 7. Stay alert for official patches or updates from rebelcode and apply them promptly once available. 8. Consider isolating or sandboxing WordPress instances that use this plugin to limit potential lateral movement in case of compromise.