CVE-2025-14792 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Key Figures plugin for WordPress, developed by audrasjb. The vulnerability exists in the kf_field_figure_default_color_render function, which fails to properly sanitize and escape user input before rendering it on web pages. This flaw allows authenticated users with administrator-level privileges to inject arbitrary JavaScript code into pages. The injected scripts execute in the context of any user who views the compromised page, potentially leading to session hijacking, privilege escalation, or other malicious actions. The vulnerability specifically affects multisite WordPress installations where the unfiltered_html capability is disabled, limiting the ability to input raw HTML. The CVSS 3.1 score of 4.4 reflects a medium severity, primarily due to the requirement for administrator privileges and high attack complexity, but with a scope that can affect multiple sites within a multisite network. No public exploits have been reported yet, but the vulnerability poses a risk to sites that rely on the Key Figures plugin for displaying data visualizations or metrics. The lack of available patches at the time of reporting necessitates immediate attention to access controls and monitoring. This vulnerability falls under CWE-80, which covers improper neutralization of script-related HTML tags, a common vector for XSS attacks.

For European organizations, this vulnerability can lead to unauthorized script execution within trusted WordPress environments, potentially compromising user sessions, stealing sensitive data, or performing unauthorized actions on behalf of users. Multisite WordPress installations are particularly at risk because a single injection can affect multiple sites within the network, amplifying the impact. Organizations relying on the Key Figures plugin for business-critical dashboards or reporting may face data integrity issues or reputational damage if attackers exploit this flaw. The requirement for administrator-level access limits the attack surface but also highlights the importance of securing privileged accounts. In regulated industries such as finance, healthcare, and government sectors prevalent in Europe, exploitation could lead to compliance violations under GDPR or other data protection laws. The medium CVSS score indicates moderate risk, but the chained impact on multisite environments and potential for lateral movement within networks elevates concern for organizations with complex WordPress deployments.

1. Immediately restrict administrator access to trusted personnel only and enforce strong authentication mechanisms such as MFA. 2. Monitor multisite WordPress installations for unusual administrator activity or unexpected content changes, especially in pages using the Key Figures plugin. 3. Implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. 4. Disable or limit the use of the Key Figures plugin in multisite environments until a security patch is released. 5. Regularly audit and sanitize all inputs and outputs related to the plugin, applying manual filters if necessary. 6. Keep WordPress core and all plugins updated; apply security patches promptly once available for this vulnerability. 7. Use web application firewalls (WAFs) with rules targeting XSS attack patterns to provide an additional layer of defense. 8. Educate administrators about the risks of XSS and safe content management practices to prevent accidental injection of malicious code.