CVE-2025-14114 Overview
The 1180px Shortcodes plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the class shortcode attribute. All versions up to and including 1.1.1 are affected due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with Contributor-level access or above to inject arbitrary web scripts into pages that execute whenever a user accesses an injected page.
Critical Impact
Authenticated attackers can persistently inject malicious scripts that execute in victim browsers, potentially leading to session hijacking, credential theft, defacement, or further malware distribution across the WordPress site.
Affected Products
- 1180px Shortcodes WordPress Plugin versions up to and including 1.1.1
- WordPress installations utilizing the vulnerable plugin with Contributor or higher user roles
Discovery Timeline
- January 7, 2026 - CVE-2025-14114 published to NVD
- January 8, 2026 - Last updated in NVD database
Technical Details for CVE-2025-14114
Vulnerability Analysis
This vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting. The flaw resides in how the plugin handles user-supplied input within the class shortcode attribute. When users with at least Contributor privileges create or edit posts containing the vulnerable shortcode, their input is not properly sanitized before being stored in the database, nor is it escaped when rendered on the page.
The stored nature of this XSS makes it particularly dangerous because the malicious payload persists in the database and executes every time any user visits the affected page. This allows attackers to target site administrators, potentially escalating their privileges or compromising the entire WordPress installation.
Root Cause
The root cause lies in insufficient input validation and output escaping within the 1180px.php file at approximately line 115. The plugin fails to implement proper sanitization functions like sanitize_html_class() for the class attribute input, and lacks output escaping using functions such as esc_attr() when rendering the shortcode output. This oversight allows attackers to break out of the HTML attribute context and inject executable JavaScript code.
Attack Vector
The attack is network-accessible and requires low privileges (Contributor role or higher). An attacker first needs to authenticate to the WordPress site with at least Contributor access. From there, they can craft a malicious shortcode within a post or page that includes JavaScript payloads in the class attribute.
When the post is published or previewed, and subsequently viewed by other users including administrators, the injected script executes in their browser context. The attacker can leverage this to steal session cookies, redirect users to phishing pages, modify page content, or perform actions on behalf of authenticated administrators.
The vulnerability mechanism involves injecting script tags or event handlers through the unsanitized class attribute parameter. For detailed technical information, refer to the WordPress Plugin Source Code and the Wordfence Vulnerability Report.
Detection Methods for CVE-2025-14114
Indicators of Compromise
- Unexpected JavaScript code or event handlers within post content containing 1180px shortcodes
- Unusual shortcode attributes containing script tags, onerror, onload, or other event handlers
- Posts created by Contributor-level users containing suspicious class attribute values
- Browser console errors or unexpected script execution when viewing pages with 1180px shortcodes
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect XSS payloads in WordPress post content and shortcode attributes
- Enable WordPress audit logging to track post modifications by Contributor-level users
- Use security plugins that scan database content for stored XSS patterns
- Monitor for anomalous outbound connections from client browsers when viewing site pages
Monitoring Recommendations
- Review audit logs for posts containing 1180px shortcodes modified by non-administrator users
- Deploy Content Security Policy (CSP) headers to mitigate XSS impact and generate violation reports
- Conduct periodic scans of WordPress database for stored XSS indicators in post content
- Monitor SentinelOne alerts for endpoint behavior anomalies related to browser-based attacks
How to Mitigate CVE-2025-14114
Immediate Actions Required
- Audit all existing posts and pages using the 1180px Shortcodes plugin for suspicious class attribute values
- Consider temporarily disabling the plugin until a patched version is available
- Review and restrict Contributor-level user access to reduce attack surface
- Implement a Web Application Firewall with XSS protection rules
Patch Information
At the time of publication, no official patch has been confirmed. Monitor the WordPress Plugin Repository for updates to versions newer than 1.1.1. Site administrators should also subscribe to the Wordfence Threat Intelligence feed for notifications when a security update becomes available.
Workarounds
- Remove the 1180px Shortcodes plugin entirely if functionality is not critical to site operations
- Restrict user roles that can create posts with shortcodes to trusted administrators only
- Implement server-side input filtering to strip potentially malicious content from shortcode attributes
- Deploy Content Security Policy headers to restrict inline script execution
# Add Content Security Policy header in Apache .htaccess
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';"
# Or in Nginx configuration
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';";
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
