CVE-2025-14865 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the WordPress plugin Passster – Password Protect Pages and Content developed by wpchill. This vulnerability arises from improper neutralization of input during web page generation, specifically via the 'content_protector' shortcode. Authenticated attackers with Contributor-level privileges or higher can inject arbitrary JavaScript code into pages protected by the plugin. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. The vulnerability affects all versions up to and including 4.2.24, with a partial fix introduced in version 4.2.21 that did not fully remediate the issue. The attack vector is remote network-based, requiring low attack complexity and no user interaction beyond the victim visiting the compromised page. The scope is changed because the vulnerability allows an attacker to affect other users' confidentiality and integrity by executing scripts in their context. The CVSS v3.1 base score is 6.4, indicating medium severity, with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. No public exploits have been reported yet, but the vulnerability poses a significant risk to WordPress sites using this plugin, especially those with multiple contributors and sensitive content.

For European organizations, this vulnerability can lead to unauthorized disclosure of sensitive information, such as session tokens or personal data, through malicious script execution. Attackers can manipulate site content or perform actions on behalf of legitimate users, undermining data integrity and trust. Organizations relying on the Passster plugin to protect confidential pages may find their protections bypassed, exposing internal or customer data. The impact is particularly concerning for sectors with strict data protection regulations like GDPR, where data breaches can result in heavy fines and reputational damage. Additionally, compromised websites can be used as vectors for further attacks, including phishing or malware distribution, affecting both the organization and its users. Since exploitation requires authenticated access, insider threats or compromised contributor accounts increase risk. The lack of known exploits in the wild provides a window for mitigation, but the medium severity score indicates that timely patching is critical to prevent potential exploitation.

European organizations should immediately audit their WordPress installations to identify the use of the Passster – Password Protect Pages and Content plugin. If present, upgrade the plugin to a version beyond 4.2.24 once a full patch is released, as the current partial fix in 4.2.21 is insufficient. Until a complete fix is available, restrict Contributor-level and higher privileges to trusted users only and monitor for suspicious activity. Implement Web Application Firewall (WAF) rules to detect and block typical XSS payloads targeting the 'content_protector' shortcode. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Conduct regular security reviews of user-generated content and sanitize inputs at the application level where possible. Educate content contributors about the risks of injecting untrusted code and enforce strict content validation policies. Finally, maintain comprehensive logging and alerting to detect potential exploitation attempts promptly.