CVE-2025-14122 Overview
The AD Sliding FAQ plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the sliding_faq shortcode in all versions up to, and including, 2.4. The vulnerability stems from insufficient input sanitization and output escaping on user-supplied attributes, allowing authenticated attackers with contributor-level access and above to inject arbitrary web scripts into pages. These malicious scripts execute whenever a user accesses an injected page, potentially leading to session hijacking, credential theft, or further compromise of site visitors.
Critical Impact
Authenticated attackers with contributor-level privileges can inject persistent malicious scripts that execute in the browsers of site visitors, potentially compromising sensitive user data and session credentials.
Affected Products
- AD Sliding FAQ plugin for WordPress versions up to and including 2.4
- WordPress installations with AD Sliding FAQ plugin enabled
- Sites allowing contributor-level or higher user access
Discovery Timeline
- 2026-01-07 - CVE CVE-2025-14122 published to NVD
- 2026-01-08 - Last updated in NVD database
Technical Details for CVE-2025-14122
Vulnerability Analysis
This Stored Cross-Site Scripting vulnerability exists within the sliding_faq shortcode implementation in the AD Sliding FAQ plugin. The flaw is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), which represents a fundamental failure to properly sanitize user-controlled input before rendering it in web pages.
The vulnerability can be exploited over the network without requiring user interaction after the initial payload is planted. The scope is changed, meaning the vulnerable component (the WordPress plugin) impacts resources beyond its security scope (visitor browsers). While confidentiality and integrity impacts are limited, the persistent nature of stored XSS makes this vulnerability particularly dangerous as the malicious payload remains active until explicitly removed.
Root Cause
The root cause of this vulnerability is the lack of proper input sanitization and output escaping for user-supplied attributes within the sliding_faq shortcode handler. When contributors or higher-privileged users add the shortcode to WordPress pages or posts, the plugin fails to validate and escape attribute values before rendering them in the HTML output. This allows attackers to embed JavaScript code that is stored in the database and executed in the context of any visitor's browser session.
The vulnerable code can be examined in the plugin source at line 205 of any-sliding-faq.php. For technical details, see the WordPress Plugin Source Code.
Attack Vector
The attack vector is network-based and requires low privileges (contributor-level access). An attacker with contributor privileges can craft a malicious sliding_faq shortcode with specially crafted attributes containing JavaScript payloads. When this content is saved and subsequently viewed by other users (including administrators), the malicious script executes in their browser context.
The exploitation flow involves the attacker embedding malicious JavaScript within shortcode attributes, saving the content through the WordPress editor, and waiting for victims to view the affected page. The stored nature of this XSS means the payload persists and affects all subsequent page visitors until the malicious content is removed.
For additional technical analysis, refer to the Wordfence Vulnerability Report.
Detection Methods for CVE-2025-14122
Indicators of Compromise
- Presence of unexpected JavaScript code within sliding_faq shortcode attributes in posts or pages
- Suspicious shortcode entries containing event handlers such as onload, onerror, onclick, or onmouseover
- Reports of unexpected browser behavior or redirects when users visit FAQ pages
- Audit log entries showing contributors editing pages with FAQ shortcodes
Detection Strategies
- Review WordPress content database for sliding_faq shortcodes containing script tags or JavaScript event handlers
- Monitor for unusual HTTP requests originating from FAQ pages that may indicate script execution
- Implement Content Security Policy (CSP) headers to detect and block inline script execution
- Use WordPress security plugins to scan for potentially malicious shortcode content
Monitoring Recommendations
- Enable detailed audit logging for all content modifications by contributor-level users
- Configure web application firewall (WAF) rules to detect XSS payloads in POST requests
- Set up alerts for JavaScript-related strings appearing in shortcode database entries
- Regularly scan plugin-generated HTML output for unexpected script elements
How to Mitigate CVE-2025-14122
Immediate Actions Required
- Update the AD Sliding FAQ plugin to the latest patched version when available
- Audit all existing posts and pages containing sliding_faq shortcodes for malicious content
- Temporarily disable the AD Sliding FAQ plugin if an update is not yet available
- Review user accounts with contributor-level access and above for suspicious activity
- Consider temporarily elevating the required privilege level for shortcode usage
Patch Information
Check the WordPress Plugin Development Version for updates addressing this vulnerability. Monitor the official WordPress plugin repository for version updates beyond 2.4 that include security fixes for the shortcode attribute handling.
The Wordfence Vulnerability Report may contain additional remediation guidance and patch availability information.
Workarounds
- Disable the AD Sliding FAQ plugin until a patched version is released
- Restrict contributor-level access to trusted users only and audit existing contributor accounts
- Implement a Web Application Firewall (WAF) with XSS detection rules to filter malicious input
- Add Content Security Policy headers to mitigate the impact of successful XSS exploitation
- Manually review and sanitize existing FAQ shortcode content in the database
# WordPress CLI command to search for potentially malicious shortcode content
wp db query "SELECT ID, post_title FROM wp_posts WHERE post_content LIKE '%sliding_faq%' AND (post_content LIKE '%<script%' OR post_content LIKE '%javascript:%' OR post_content LIKE '%onerror%' OR post_content LIKE '%onload%')"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
