CVE-2025-14792 is a stored cross-site scripting vulnerability identified in the Key Figures plugin for WordPress, developed by audrasjb. The vulnerability exists in the kf_field_figure_default_color_render function, which fails to properly sanitize and escape user input before rendering it on web pages. This flaw allows authenticated attackers with administrator privileges to inject malicious JavaScript code into pages within multi-site WordPress installations or installations where the unfiltered_html capability is disabled. When other users visit these compromised pages, the injected scripts execute in their browsers, potentially enabling session hijacking, privilege escalation, or other malicious activities. The vulnerability affects all versions up to and including 1.1 of the plugin. The CVSS 3.1 base score is 4.4, indicating medium severity, due to the requirement for high privileges (administrator) and the absence of user interaction for exploitation. The scope is considered changed (S:C) because the vulnerability can affect other users beyond the attacker. No public exploits have been reported to date. The vulnerability was published on January 7, 2026, and is tracked under CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page).

For European organizations, this vulnerability poses a moderate risk primarily in environments using WordPress multi-site installations with the Key Figures plugin. Successful exploitation could lead to unauthorized script execution in the context of other users, potentially compromising user sessions, stealing sensitive data, or enabling further attacks such as privilege escalation or malware deployment. Although exploitation requires administrator access, insider threats or compromised admin accounts could leverage this vulnerability to expand their control or disrupt operations. The impact on confidentiality and integrity is low to moderate, while availability is not affected. Organizations relying on WordPress multi-site setups for intranet portals, content management, or customer-facing sites may see reputational damage and compliance issues if exploited. Given the medium CVSS score and lack of known exploits, the immediate risk is moderate but should not be underestimated, especially in sectors with sensitive data or regulatory requirements such as finance, healthcare, and government.

To mitigate CVE-2025-14792, European organizations should: 1) Immediately update the Key Figures plugin to a patched version once available, or temporarily disable the plugin in multi-site environments. 2) Restrict administrator access strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA). 3) Review and harden WordPress configuration by enabling security plugins that monitor and block suspicious script injections. 4) Implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected sites. 5) Regularly audit multi-site installations for unauthorized changes or injected scripts, focusing on pages rendered by the vulnerable function. 6) Educate administrators about the risks of stored XSS and the importance of input validation and output escaping. 7) Disable or carefully manage the unfiltered_html capability to minimize exposure. 8) Monitor logs and user activity for signs of exploitation attempts or anomalous behavior. These steps go beyond generic advice by focusing on the specific conditions and attack vectors relevant to this vulnerability.