Atomic Edge analysis of CVE-2025-14379 (metadata-based):
This vulnerability is an authenticated Stored Cross-Site Scripting (XSS) flaw in the Testimonials Creator WordPress plugin version 1.6. The issue resides in the plugin’s admin settings functionality, allowing attackers with administrator-level permissions or higher to inject arbitrary JavaScript. The vulnerability is only exploitable on WordPress multisite installations or on single-site installations where the `unfiltered_html` capability is disabled, which restricts the default sanitization performed by WordPress.
Atomic Edge research infers the root cause is insufficient input sanitization and output escaping, as classified under CWE-79. The vulnerability description confirms a lack of proper neutralization for user input within admin settings. Without access to source code, it is inferred that a plugin settings page or AJAX handler accepts administrator input, stores it in the database, and later outputs it without adequate escaping functions like `esc_html()` or `wp_kses()`. This conclusion is based on the CWE classification and the specific mention of admin settings as the attack vector.
Exploitation requires an attacker to possess administrator privileges. The attacker would navigate to the vulnerable plugin settings page within the WordPress admin dashboard, likely at a path like `/wp-admin/admin.php?page=testimonials-creator`. They would then submit a crafted payload into a text-based form field, such as one for a testimonial setting, label, or configuration option. A typical payload would be `alert(document.domain)`. This script would be stored in the WordPress database and subsequently rendered without sanitization on public or admin pages, executing in the browsers of visiting users.
Remediation requires implementing proper input validation and output escaping. The plugin developers should sanitize all user input on the server-side using functions like `sanitize_text_field()` before storage. For output, they must escape dynamic content with context-appropriate functions such as `esc_html()`, `esc_attr()`, or `wp_kses_post()`. A patch would also involve a capability check to ensure only users with the `unfiltered_html` capability can submit raw HTML, aligning with WordPress core security practices.
The impact of successful exploitation is client-side code execution within the context of the affected WordPress site. An attacker can perform actions as the victim user, including stealing session cookies, performing administrative actions on their behalf, or redirecting users to malicious sites. The CVSS score of 4.4 (Medium) reflects the high attack complexity (AC:H) and privileged requirements (PR:H), but the scope change (S:C) indicates the compromise can affect users beyond the targeted component.