CVE-2025-14865 Overview
The Passster – Password Protect Pages and Content plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the content_protector shortcode. This security flaw affects all versions up to and including 4.2.24, allowing authenticated attackers with Contributor-level access or higher to inject malicious web scripts into protected pages. These scripts execute automatically whenever any user accesses the compromised page, potentially leading to session hijacking, credential theft, or further malicious actions.
Critical Impact
Authenticated attackers with minimal privileges (Contributor-level) can persistently inject malicious JavaScript that executes in the browsers of all users viewing the affected pages, potentially compromising administrative accounts and site integrity.
Affected Products
- Passster – Password Protect Pages and Content plugin for WordPress versions up to and including 4.2.24
- WordPress sites using the content_protector shortcode functionality
- Partial vulnerability exists in versions prior to 4.2.21
Discovery Timeline
- 2026-01-28 - CVE CVE-2025-14865 published to NVD
- 2026-01-29 - Last updated in NVD database
Technical Details for CVE-2025-14865
Vulnerability Analysis
This Stored Cross-Site Scripting vulnerability exists within the shortcode processing functionality of the Passster plugin. The content_protector shortcode fails to properly sanitize user-supplied input before rendering it in the HTML output. When a user with Contributor-level privileges or higher creates or edits a post containing the vulnerable shortcode, they can embed arbitrary JavaScript code that gets stored in the WordPress database.
The vulnerability is particularly concerning because it requires only Contributor-level access, which is a relatively low privilege level in WordPress. Contributors are typically trusted to write content but not execute code, making this a privilege boundary violation. The stored nature of the XSS means the malicious payload persists and executes for every visitor to the affected page, including administrators.
The attack occurs over the network without requiring any user interaction beyond normal page access. The vulnerability can affect resources beyond the security scope of the vulnerable component, potentially allowing attackers to access cookies, session tokens, or other sensitive information from users viewing the injected content.
Root Cause
The root cause of this vulnerability is insufficient input validation and output encoding in the class-ps-public.php file, specifically around line 136 in the shortcode handler. The plugin processes shortcode attributes without properly escaping special characters that could be interpreted as HTML or JavaScript. This allows attackers to break out of the intended context and inject executable script content.
The vulnerability was partially addressed in version 4.2.21, suggesting an incomplete fix that left certain attack vectors available. The full remediation required additional patches as evidenced by the multiple changesets addressing this issue.
Attack Vector
The attack leverages the WordPress shortcode system, which is accessible to users with Contributor-level permissions. An attacker would craft a malicious content_protector shortcode with specially crafted attributes containing JavaScript payloads. When the page is rendered, the unescaped input is included directly in the HTML output, causing the browser to execute the injected script.
The malicious script runs in the context of the victim's browser session, giving the attacker access to cookies, session tokens, and the ability to perform actions on behalf of the victim. If an administrator views the compromised page, the attacker could potentially gain full administrative access to the WordPress site.
For technical details on the vulnerable code paths, refer to the WordPress Plugin Code Review showing the affected code in version 4.2.20.
Detection Methods for CVE-2025-14865
Indicators of Compromise
- Unusual JavaScript code embedded within posts containing the content_protector shortcode
- Unexpected shortcode attributes containing HTML entities, script tags, or event handlers
- Posts created or modified by Contributor-level users containing complex shortcode syntax
- Browser console errors or unexpected script execution when viewing protected content pages
Detection Strategies
- Implement content scanning for suspicious patterns in shortcode attributes across all posts using the content_protector shortcode
- Monitor WordPress audit logs for post modifications by Contributor-level users, particularly those involving shortcode content
- Deploy Web Application Firewall (WAF) rules to detect XSS patterns in WordPress post content submissions
- Use SentinelOne Singularity to monitor for anomalous script execution patterns on WordPress hosting infrastructure
Monitoring Recommendations
- Enable detailed logging for all WordPress user activity, especially content creation and editing actions
- Configure alerts for posts containing the content_protector shortcode that are modified by non-administrative users
- Implement regular security scans of the WordPress database for stored XSS payloads
- Monitor outbound connections from the web server for potential data exfiltration attempts
How to Mitigate CVE-2025-14865
Immediate Actions Required
- Update the Passster – Password Protect Pages and Content plugin to a version newer than 4.2.24 immediately
- Audit all existing posts using the content_protector shortcode for malicious content
- Review user accounts with Contributor-level access and above for suspicious activity
- Consider temporarily restricting shortcode usage to trusted user roles until the update is applied
Patch Information
The vulnerability was partially patched in version 4.2.21 with additional fixes in subsequent releases. Two changesets address this vulnerability:
- WordPress Plugin Changeset #3422595 - Initial partial fix
- WordPress Plugin Changeset #3439532 - Complete remediation
For the most comprehensive vulnerability information, refer to the Wordfence Vulnerability Report.
Workarounds
- Remove or disable the Passster plugin entirely if an immediate update is not possible
- Restrict Contributor-level users from using shortcodes by implementing custom capability checks
- Use a Web Application Firewall with rules specifically blocking XSS patterns in WordPress content
- Implement Content Security Policy headers to mitigate the impact of successful XSS attacks
# WordPress configuration to add CSP headers via .htaccess
# Add these lines to your WordPress .htaccess file
<IfModule mod_headers.c>
Header set Content-Security-Policy "script-src 'self'; object-src 'none';"
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options "nosniff"
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
