CVE-2025-14144: Mstoic Shortcodes WordPress XSS Flaw

CVE-2025-14144 Overview

The Mstoic Shortcodes plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the start parameter of the ms_youtube_embeds shortcode. All versions up to and including 2.0 are affected due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages that execute whenever any user accesses the compromised page.

Critical Impact

Authenticated attackers can inject persistent malicious scripts that execute in the browsers of all users who view affected pages, potentially leading to session hijacking, credential theft, and site defacement.

Affected Products

• Mstoic Shortcodes WordPress Plugin versions up to and including 2.0
• WordPress installations with Contributor-level user accounts or higher using the affected plugin
• Any WordPress site utilizing the ms_youtube_embeds shortcode functionality

Discovery Timeline

• 2026-01-07 - CVE-2025-14144 published to NVD
• 2026-01-08 - Last updated in NVD database

Technical Details for CVE-2025-14144

Vulnerability Analysis

This Stored Cross-Site Scripting vulnerability exists within the YouTube embeds functionality of the Mstoic Shortcodes plugin. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The flaw allows network-based attacks that can be exploited by authenticated users with low-privilege Contributor accounts without requiring user interaction to trigger the payload.

The vulnerability has a changed scope, meaning successful exploitation impacts resources beyond the vulnerable component itself—specifically, it can affect the security context of users' browsers viewing the injected content.

Root Cause

The root cause of this vulnerability is insufficient input sanitization and output escaping in the handling of the start parameter within the ms_youtube_embeds shortcode function. Located in the file youtube_embeds.php at line 117, the plugin fails to properly validate and sanitize user-supplied input before rendering it in the HTML output. This allows malicious JavaScript code to be stored in the database and subsequently executed when the page is rendered.

Attack Vector

The attack requires an authenticated user with at least Contributor-level privileges to create or edit content using the vulnerable shortcode. The attacker crafts a malicious payload within the start parameter of the [ms_youtube_embeds] shortcode. When any user—including administrators—views the page containing this shortcode, the injected script executes within their browser session.

The vulnerability is exploited through WordPress's shortcode system, where the start parameter value is improperly echoed into the page output without proper encoding, allowing script injection. An attacker could craft a shortcode with JavaScript event handlers or script tags embedded in the start parameter value. For detailed technical analysis, see the Wordfence Vulnerability Report and the vulnerable source code on WordPress Plugin Trac.

Detection Methods for CVE-2025-14144

Indicators of Compromise

• Unexpected or suspicious JavaScript code within post content containing ms_youtube_embeds shortcodes
• Modified posts or pages with unusual start parameter values in shortcode attributes
• Browser console errors or unexpected network requests when viewing pages with YouTube embeds
• Reports of unusual behavior from site visitors viewing specific pages

Detection Strategies

• Review WordPress database for posts containing [ms_youtube_embeds with suspicious start parameter values containing script tags or event handlers
• Implement Web Application Firewall (WAF) rules to detect XSS payloads in shortcode parameters
• Enable WordPress audit logging to track content modifications by Contributor-level users
• Use SentinelOne Singularity to monitor for anomalous JavaScript execution patterns originating from WordPress pages

Monitoring Recommendations

• Configure real-time alerting for content modifications involving the ms_youtube_embeds shortcode
• Monitor user account activity for Contributor-level accounts creating or editing posts with shortcodes
• Implement Content Security Policy (CSP) headers to detect and block unauthorized inline script execution
• Deploy browser-based XSS detection tools to identify malicious script injection attempts

How to Mitigate CVE-2025-14144

Immediate Actions Required

• Update the Mstoic Shortcodes plugin to a patched version immediately if available
• Review and audit all existing content containing ms_youtube_embeds shortcodes for malicious payloads
• Restrict Contributor-level user permissions or disable the shortcode functionality until patched
• Implement a Web Application Firewall with XSS protection rules as a defense-in-depth measure

Patch Information

Organizations should check the official WordPress plugin repository for updated versions of Mstoic Shortcodes that address this vulnerability. The vulnerable code is located in functions/shortcodes/youtube_embeds.php at line 117. Monitor the WordPress Plugin Trac for security updates. Until a patch is available, consider the workarounds below.

Workarounds

• Temporarily deactivate the Mstoic Shortcodes plugin if the YouTube embed functionality is not critical
• Restrict user roles that can use shortcodes by implementing capability checks
• Add custom input sanitization using WordPress's wp_kses() function for the affected shortcode parameters
• Deploy a WAF rule to filter potentially malicious input in shortcode attributes

# WordPress wp-config.php - Restrict shortcode usage (add before "That's all, stop editing!")
# Disable shortcodes for non-admin users as temporary mitigation
define('DISALLOW_FILE_EDIT', true);

# Consider using a security plugin to audit shortcode usage
# Example: Review posts for suspicious content
# wp db query "SELECT ID, post_title FROM wp_posts WHERE post_content LIKE '%ms_youtube_embeds%start=%' LIMIT 100;"