CVE-2025-14865 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the WordPress plugin Passster – Password Protect Pages and Content by wpchill. This plugin is designed to password-protect pages and content on WordPress sites. The vulnerability exists in the handling of the 'content_protector' shortcode, which fails to properly sanitize or neutralize user input before rendering it on web pages. Authenticated users with Contributor-level permissions or higher can exploit this flaw by injecting arbitrary JavaScript code into pages or posts protected by the plugin. When other users access these compromised pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the victim's context. The vulnerability affects all versions up to and including 4.2.24, with a partial fix introduced in version 4.2.21 that did not fully remediate the issue. The CVSS v3.1 score of 6.4 indicates a medium severity vulnerability with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No public exploits have been reported to date, but the vulnerability's presence in a widely used WordPress plugin makes it a significant risk for websites relying on Passster for content protection.

The impact of CVE-2025-14865 is primarily on the confidentiality and integrity of affected WordPress sites. Successful exploitation allows attackers to execute arbitrary scripts in the context of site visitors or administrators, potentially leading to theft of authentication cookies, defacement, unauthorized actions, or distribution of malware. Since the vulnerability requires Contributor-level access, it could be exploited by malicious insiders or compromised accounts. The scope change in the CVSS vector suggests that the vulnerability can affect components beyond the initially compromised user, potentially impacting site-wide content or user sessions. For organizations, this can lead to reputational damage, data breaches, and loss of user trust. E-commerce, membership, and content-restricted sites using Passster are particularly at risk, as attackers could bypass content protection or manipulate user interactions. Although no known exploits are currently in the wild, the medium severity and ease of exploitation warrant proactive remediation to prevent future attacks.

1. Upgrade the Passster plugin to a version beyond 4.2.24 once a complete patch is released by the vendor, as current versions up to 4.2.24 remain vulnerable despite partial fixes. 2. In the interim, restrict Contributor-level and higher permissions to trusted users only, minimizing the risk of malicious script injection. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious script injection patterns targeting the 'content_protector' shortcode. 4. Conduct regular security audits and code reviews of custom shortcodes or plugins that handle user input to ensure proper sanitization and encoding. 5. Educate site administrators and content contributors about the risks of XSS and safe content handling practices. 6. Monitor site logs and user activity for unusual behavior indicative of exploitation attempts. 7. Consider disabling or replacing the Passster plugin with alternative content protection solutions that have verified secure coding practices until a full patch is available.