CVE-2025-14030
Stored XSS in WordPress AI Feeds Plugin Allows Script Injection
Publication date: 2025-12-12
Last updated on: 2025-12-12
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | wordpress | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by scanning for the presence of the vulnerable 'aife_post_meta' shortcode usage in WordPress posts or pages, especially if the ai-feeds plugin version is up to 1.0.22. Additionally, monitoring for suspicious scripts injected via this shortcode or unusual Contributor-level user activity may help. Since the vulnerability involves stored XSS via shortcode attributes, you can search the WordPress database for posts containing the shortcode '[aife_post_meta' with suspicious or unexpected meta keys or script tags. Commands to detect this might include SQL queries to find posts with the shortcode or scanning web pages for injected scripts. For example, using WP-CLI to search post content: `wp post list --post_type=post --field=ID | xargs -I % wp post get % --field=post_content | grep '\[aife_post_meta'` or querying the database directly: `SELECT ID, post_content FROM wp_posts WHERE post_content LIKE '%[aife_post_meta%'`. Also, monitoring HTTP requests for unusual payloads targeting the shortcode or AJAX endpoints related to ai-feeds could help detect exploitation attempts. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the ai-feeds WordPress plugin to version 1.0.23 or later, where the vulnerability CVE-2025-14030 has been fixed by sanitizing and validating the 'aife_post_meta' shortcode attribute and sanitizing output to prevent XSS. If updating is not immediately possible, restrict Contributor-level user permissions to prevent unauthorized shortcode usage, and consider disabling or removing the ai-feeds plugin temporarily. Additionally, review and sanitize any existing posts or pages using the shortcode to remove malicious scripts. Applying web application firewall (WAF) rules to block suspicious input targeting the shortcode or AJAX endpoints may also help mitigate exploitation. [2]
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the AI Feeds plugin for WordPress, specifically via the 'aife_post_meta' shortcode. It occurs because the plugin does not properly sanitize input or escape output, allowing authenticated users with Contributor-level access or higher to inject malicious scripts into pages. These scripts then execute whenever any user views the infected page.
How can this vulnerability impact me? :
The vulnerability allows attackers with Contributor-level access to inject arbitrary web scripts that execute in the context of other users viewing the infected pages. This can lead to unauthorized actions, data theft, session hijacking, or other malicious activities affecting users and site integrity.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.