CVE-2025-14048
Stored XSS in SimplyConvert WordPress Plugin Allows Admin Script Injection
Publication date: 2025-12-12
Last updated on: 2025-12-12
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | simplyconvert | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the SimplyConvert plugin for WordPress. It occurs via the 'simplyconvert_hash' option in versions up to and including 1.0. Due to insufficient input sanitization and output escaping, authenticated attackers with administrator-level access can inject arbitrary web scripts into pages. These scripts execute whenever a user accesses the injected page.
How can this vulnerability impact me? :
The vulnerability allows an attacker with administrator access to inject malicious scripts that execute in users' browsers when they visit affected pages. This can lead to unauthorized actions, data theft, session hijacking, or other malicious activities impacting the confidentiality and integrity of the website and its users.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the WordPress site is using the SimplyConvert plugin version 1.0 or 1.1 and if the 'simplyconvert_hash' option contains malicious script injections. You can inspect the WordPress options table for the 'simplyconvert_hash' value and look for suspicious JavaScript code. Additionally, reviewing the plugin's settings page for unexpected or unauthorized changes to the Company ID may help. There are no specific commands provided in the resources, but you can use WP-CLI commands such as `wp option get simplyconvert_hash` to retrieve the stored hash and inspect it for malicious content. Also, monitoring HTTP responses for injected scripts in pages where the widget is embedded can help detect exploitation. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting administrator access to trusted users only, as exploitation requires admin-level access. Remove or update the SimplyConvert plugin to a version that properly sanitizes and escapes input (if available). As a temporary measure, clear or reset the 'simplyconvert_hash' option to an empty string to prevent execution of injected scripts. Monitor and audit the plugin's settings page for unauthorized changes. Applying strict input validation and output escaping on the 'simplyconvert_hash' option and shortcode parameters is recommended once a patch is available. [1, 3]