CVE-2025-14110 Overview
The WP Js List Pages Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the class shortcode attribute in all versions up to, and including, 1.21. The vulnerability stems from insufficient input sanitization and output escaping, allowing authenticated attackers with Contributor-level access and above to inject arbitrary web scripts into pages. These malicious scripts execute whenever any user accesses an injected page, potentially leading to session hijacking, credential theft, or further attacks against site visitors.
Critical Impact
Authenticated attackers can inject persistent malicious scripts that execute in the browsers of all users viewing affected pages, enabling session hijacking, phishing attacks, and unauthorized actions on behalf of victims.
Affected Products
- WP Js List Pages Shortcodes plugin version 1.21 and earlier
- WordPress sites using vulnerable versions of the plugin
- All users with Contributor-level access or above are potential attack vectors
Discovery Timeline
- January 7, 2026 - CVE-2025-14110 published to NVD
- January 8, 2026 - Last updated in NVD database
Technical Details for CVE-2025-14110
Vulnerability Analysis
This Stored Cross-Site Scripting vulnerability exists within the shortcode processing functionality of the WP Js List Pages Shortcodes plugin. The plugin fails to properly sanitize user-supplied input in the class shortcode attribute before rendering it in the page output. When an authenticated user with at least Contributor privileges creates or edits content containing the vulnerable shortcode, they can embed malicious JavaScript that becomes permanently stored in the WordPress database and executed whenever the page is rendered.
The vulnerability is particularly concerning because Stored XSS attacks persist across sessions and affect all users who view the compromised content, not just the attacker. This includes administrators, potentially allowing privilege escalation through session token theft or CSRF token harvesting.
Root Cause
The root cause of this vulnerability is the lack of proper input sanitization and output escaping for the class attribute within the shortcode handler function. The plugin directly incorporates user-controlled input into HTML output without applying appropriate WordPress escaping functions such as esc_attr() or wp_kses(). This allows attackers to break out of the HTML attribute context and inject script tags or event handlers.
The vulnerable code can be examined in the plugin source at line 58 of js-list-pages-shortcodes.php, where the class attribute value is rendered without proper escaping.
Attack Vector
The attack is executed over the network and requires low-privilege authenticated access (Contributor-level or above). An attacker with valid WordPress credentials can inject malicious payloads through the plugin's shortcode interface. The attack flow involves:
- The attacker authenticates to the WordPress site with at least Contributor privileges
- They create or edit a page/post containing the vulnerable shortcode with a crafted class attribute containing JavaScript payload
- The malicious content is saved to the WordPress database
- When any user (including administrators) views the affected page, the injected script executes in their browser context
No user interaction beyond viewing the page is required for the payload to execute, and the attack has cross-scope impact as it can affect users beyond the attacker's normal privilege boundary.
Detection Methods for CVE-2025-14110
Indicators of Compromise
- Unusual JavaScript code within page content containing the WP Js List Pages shortcodes
- Presence of event handlers (e.g., onerror, onload, onclick) within shortcode class attributes
- Database entries containing script tags or encoded JavaScript within shortcode parameters
- Unexpected external resource loading or beacon requests from visitor browsers
Detection Strategies
- Review WordPress database for stored content containing suspicious patterns within shortcode attributes such as <script>, javascript:, or event handler attributes
- Implement Content Security Policy (CSP) headers to detect and block unauthorized inline script execution
- Deploy web application firewall (WAF) rules to detect XSS patterns in POST requests to WordPress
- Monitor browser console errors and CSP violation reports for evidence of blocked malicious scripts
Monitoring Recommendations
- Enable WordPress audit logging to track content modifications by Contributor-level users
- Configure SentinelOne Singularity Platform to monitor for anomalous script execution patterns on WordPress servers
- Set up alerts for database modifications to posts/pages containing shortcode content
- Implement real-time monitoring of outbound connections from the WordPress server to detect data exfiltration attempts
How to Mitigate CVE-2025-14110
Immediate Actions Required
- Update WP Js List Pages Shortcodes plugin to the latest patched version if available
- Review all existing content using the plugin's shortcodes for malicious payloads
- Audit user accounts with Contributor-level access and above for unauthorized activity
- Consider temporarily disabling the plugin until a patch is confirmed
Patch Information
Site administrators should check the WordPress Plugin Directory for updated versions of the WP Js List Pages Shortcodes plugin that address this vulnerability. The fix involves implementing proper output escaping using WordPress security functions like esc_attr() for the class attribute. Detailed vulnerability information is available in the Wordfence Vulnerability Report.
Workarounds
- Remove or deactivate the WP Js List Pages Shortcodes plugin until a patched version is available
- Restrict user accounts to the minimum necessary privileges, limiting Contributor-level access where possible
- Implement a Web Application Firewall (WAF) with rules to filter XSS patterns in shortcode attributes
- Deploy Content Security Policy headers to mitigate the impact of any successful XSS exploitation
# Add Content Security Policy header to WordPress .htaccess
# This helps mitigate XSS impact by restricting script execution
Header set Content-Security-Policy "script-src 'self'; object-src 'none';"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
