CVE-2025-14767 is a stored cross-site scripting vulnerability in the WPC Badge Management for WooCommerce plugin for WordPress. It affects all versions up to and including 3.1.6. The flaw exists because the plugin does not properly sanitize or escape the 'text' attribute of the wpcbm_best_seller shortcode, allowing authenticated users with Shop Manager or higher privileges to inject arbitrary JavaScript code. This code executes in the context of users who visit pages containing the injected shortcode, potentially leading to session hijacking or other script-based attacks. The vulnerability has a CVSS 3.1 base score of 5.5 (medium severity) with network attack vector, low attack complexity, high privileges required, no user interaction, and impacts confidentiality and integrity with no availability impact. No known exploits in the wild or vendor patches have been reported as of the published date.

An attacker with Shop Manager-level access or higher can inject malicious scripts that execute in the browsers of users viewing the affected pages. This can lead to unauthorized actions performed in the context of the victim user, disclosure of sensitive information, or other script-based attacks. The impact affects confidentiality and integrity but does not affect availability. The vulnerability requires authenticated access with elevated privileges, limiting the attack surface.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict Shop Manager-level access to trusted users only and consider disabling or removing the WPC Badge Management for WooCommerce plugin if possible. Monitor for updates from the vendor and apply patches promptly once available.