CVE-2025-14792 is a stored cross-site scripting vulnerability classified under CWE-80, found in the Key Figures plugin for WordPress developed by audrasjb. The vulnerability exists in the kf_field_figure_default_color_render function, which fails to properly sanitize and escape user input before rendering it on web pages. This flaw allows authenticated users with administrator-level access to inject malicious JavaScript code into pages. The vulnerability specifically impacts multi-site WordPress installations or those where the unfiltered_html capability is disabled, limiting the scope of exploitation. When a victim accesses a page containing the injected script, the malicious code executes in their browser context, potentially enabling session hijacking, defacement, or further attacks leveraging the victim's privileges. The CVSS 3.1 base score is 4.4, indicating a medium severity level due to the requirement for high privileges and no user interaction needed. No public exploits have been reported, and no patches have been linked yet, highlighting the need for vigilance and proactive mitigation. The vulnerability was published on January 7, 2026, and assigned by Wordfence. Given the nature of WordPress and the plugin's usage, the vulnerability poses a risk primarily to organizations running multi-site WordPress environments with this plugin installed.

The impact of CVE-2025-14792 is primarily on the confidentiality and integrity of affected WordPress sites. An attacker with administrator privileges can inject persistent malicious scripts that execute in the browsers of users visiting the compromised pages. This can lead to session hijacking, theft of sensitive information, unauthorized actions performed on behalf of users, and potential defacement or redirection attacks. While availability is not directly affected, the reputational damage and trust erosion can be significant. The requirement for administrator-level access limits the attack surface but also means that if an attacker has already compromised an admin account, this vulnerability can be leveraged to escalate the attack. Multi-site installations are particularly at risk since a single injected script can affect multiple sites under the same network. Organizations relying on this plugin in multi-site WordPress setups face increased risk, especially if they have disabled unfiltered_html to restrict content editing capabilities. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the potential for future exploitation.

To mitigate CVE-2025-14792, organizations should first verify if they are running the Key Figures plugin version 1.1 or earlier on multi-site WordPress installations or where unfiltered_html is disabled. Immediate steps include restricting administrator access to trusted personnel only and auditing existing content for suspicious scripts. Since no official patch is currently linked, consider disabling or uninstalling the plugin temporarily until a fixed version is released. Implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. Employ Web Application Firewalls (WAFs) with rules targeting stored XSS patterns specific to this plugin's behavior. Regularly monitor logs and user activity for signs of abuse or injection attempts. Educate administrators on safe content input practices and review plugin updates from the vendor audrasjb for timely patches. Additionally, consider isolating multi-site environments or limiting plugin usage to single-site installations where feasible to reduce exposure.