CVE-2025-14069
Unknown Unknown - Not Provided
Stored XSS in Schema & Structured Data for WP & AMP Plugin

Publication date: 2026-01-23

Last updated on: 2026-01-23

Assigner: Wordfence

Description
The Schema & Structured Data for WP & AMP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'saswp_custom_schema_field' profile field in all versions up to, and including, 1.54 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-23
Last Modified
2026-01-23
Generated
2026-06-16
AI Q&A
2026-01-23
EPSS Evaluated
2026-06-14
NVD
CVE-2025-14069
EUVD
EUVD-2026-4448
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
unknown_vendor schema_and_structured_data_for_wp 1.54
unknown_vendor schema_and_structured_data_for_wp 1.53
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-14069 is a Stored Cross-Site Scripting (XSS) vulnerability in the Schema & Structured Data for WP & AMP WordPress plugin (up to version 1.54). It occurs because the plugin does not sufficiently sanitize and escape input in the 'saswp_custom_schema_field' profile field. Authenticated users with Contributor-level access or higher can inject malicious scripts into schema data, which then execute whenever other users view the affected pages. This vulnerability arises from incomplete input validation combined with complex conditional logic and reliance on nonce verification that may be bypassed. [1, 5]

Impact Analysis

This vulnerability allows authenticated users with Contributor-level permissions or higher to inject arbitrary JavaScript into pages via the plugin's schema fields. The injected scripts execute in the browsers of users who visit those pages, potentially leading to session hijacking, defacement, unauthorized actions, or theft of sensitive information. Because the attack is stored, the malicious code persists and affects all users viewing the compromised content. This can undermine site integrity, user trust, and security. [1, 5]

Detection Guidance

Detection of CVE-2025-14069 involves identifying attempts to exploit the stored XSS vulnerability via the 'saswp_custom_schema_field' profile field. Since the vulnerability requires authenticated users with Contributor-level access or higher to inject malicious scripts, monitoring for unusual or unauthorized changes to schema data or custom schema fields is key. You can audit WordPress user activity logs for changes to schema posts (custom post type 'saswp') or monitor HTTP requests to administrative AJAX endpoints related to the plugin, such as those handling schema import/export or settings changes. Specific commands or tools are not provided in the resources, but general approaches include: 1. Reviewing WordPress database entries in the 'wp_posts' table for post type 'saswp' for suspicious script tags or unexpected content in meta fields. 2. Using WP-CLI to list and inspect schema posts: `wp post list --post_type=saswp` and `wp post meta get <post_id> saswp_custom_schema_field` to check for injected scripts. 3. Monitoring web server logs for POST requests to AJAX actions like `wp_ajax_saswp_import_all_settings_and_schema` or `wp_ajax_saswp_export_all_settings_and_schema` with unusual payloads. 4. Employing security plugins or WAFs that detect stored XSS patterns in WordPress content. Since no explicit detection commands are detailed in the resources, these general methods are recommended. [1, 3, 5]

Mitigation Strategies

Immediate mitigation steps for CVE-2025-14069 include: 1. Update the 'Schema & Structured Data for WP & AMP' plugin to a version later than 1.54 where the vulnerability is fixed. 2. Restrict Contributor-level and higher user permissions to trusted users only, as the exploit requires authenticated users with these privileges. 3. Review and sanitize any existing schema data, especially the 'saswp_custom_schema_field', to remove any injected scripts. 4. Ensure that WordPress nonces and capability checks are properly enforced and that no unauthorized users can perform AJAX actions related to schema import/export or settings changes. 5. If immediate update is not possible, consider disabling the plugin temporarily or limiting access to its administrative functions. 6. Monitor logs for suspicious activity related to schema data manipulation. These steps are based on the plugin's reliance on nonce verification and capability checks, and the vulnerability arising from insufficient input sanitization and output escaping in schema fields. [1, 3, 5]

Compliance Impact

The provided resources do not explicitly discuss the impact of CVE-2025-14069 on compliance with common standards and regulations such as GDPR or HIPAA. However, since the vulnerability allows authenticated attackers with Contributor-level access to inject arbitrary scripts via stored cross-site scripting (XSS), it could potentially lead to unauthorized access or manipulation of user data, which may affect data protection and privacy compliance indirectly. No direct statements or analysis regarding compliance impact are present in the provided texts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14069. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart