CVE-2025-14745 is a stored Cross-Site Scripting (XSS) vulnerability identified in the WordPress plugin 'RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging' developed by rebelcode. The flaw exists in all versions up to and including 5.0.10 and is due to improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of user-supplied attributes in the 'wp-rss-aggregator' shortcode. Authenticated attackers with contributor-level privileges or higher can exploit this vulnerability by injecting arbitrary JavaScript code into pages generated by the plugin. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or other malicious activities. The vulnerability has a CVSS 3.1 score of 6.4, reflecting a medium severity with network attack vector, low attack complexity, and requiring privileges but no user interaction. The scope is classified as changed, indicating that the vulnerability affects resources beyond the attacker’s privileges. Currently, there are no known exploits in the wild, but the presence of this vulnerability in a widely used WordPress plugin poses a significant risk if left unaddressed.

The impact of CVE-2025-14745 is primarily on the confidentiality and integrity of user data within affected WordPress sites. Successful exploitation allows attackers to execute arbitrary scripts in the context of the victim’s browser, which can lead to theft of authentication cookies, session tokens, or other sensitive information. This can result in unauthorized access to user accounts, including administrative accounts if targeted properly. Additionally, attackers may perform actions on behalf of victims, deface websites, or distribute malware. Since the vulnerability requires contributor-level access, it can be exploited by malicious insiders or compromised accounts, increasing the risk in environments with multiple content creators. The vulnerability does not directly affect availability but can indirectly cause service disruption through defacement or malicious payload delivery. Organizations relying on this plugin for content aggregation and autoblogging may face reputational damage, data breaches, and compliance issues if exploited.

To mitigate CVE-2025-14745, organizations should immediately update the 'RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging' plugin to a version that addresses this vulnerability once released by the vendor. Until a patch is available, restrict contributor-level and higher privileges to trusted users only and audit existing user roles to minimize risk. Implement Web Application Firewall (WAF) rules to detect and block suspicious shortcode attribute inputs that may contain script tags or other XSS payloads. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. Regularly review and sanitize all user-generated content, especially shortcode inputs, using server-side validation and escaping functions. Monitor logs for unusual activity related to shortcode usage and user privilege escalations. Educate content contributors about the risks of injecting untrusted content and enforce strict input validation policies. Finally, conduct periodic security assessments and penetration tests focusing on plugin vulnerabilities and privilege abuse scenarios.