CVE-2025-14069
Stored XSS in Schema & Structured Data for WP & AMP Plugin
Publication date: 2026-01-23
Last updated on: 2026-01-23
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| unknown_vendor | schema_and_structured_data_for_wp | 1.54 |
| unknown_vendor | schema_and_structured_data_for_wp | 1.53 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-14069 is a Stored Cross-Site Scripting (XSS) vulnerability in the Schema & Structured Data for WP & AMP WordPress plugin (up to version 1.54). It occurs because the plugin does not sufficiently sanitize and escape input in the 'saswp_custom_schema_field' profile field. Authenticated users with Contributor-level access or higher can inject malicious scripts into schema data, which then execute whenever other users view the affected pages. This vulnerability arises from incomplete input validation combined with complex conditional logic and reliance on nonce verification that may be bypassed. [1, 5]
How can this vulnerability impact me? :
This vulnerability allows authenticated users with Contributor-level permissions or higher to inject arbitrary JavaScript into pages via the plugin's schema fields. The injected scripts execute in the browsers of users who visit those pages, potentially leading to session hijacking, defacement, unauthorized actions, or theft of sensitive information. Because the attack is stored, the malicious code persists and affects all users viewing the compromised content. This can undermine site integrity, user trust, and security. [1, 5]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of CVE-2025-14069 involves identifying attempts to exploit the stored XSS vulnerability via the 'saswp_custom_schema_field' profile field. Since the vulnerability requires authenticated users with Contributor-level access or higher to inject malicious scripts, monitoring for unusual or unauthorized changes to schema data or custom schema fields is key. You can audit WordPress user activity logs for changes to schema posts (custom post type 'saswp') or monitor HTTP requests to administrative AJAX endpoints related to the plugin, such as those handling schema import/export or settings changes. Specific commands or tools are not provided in the resources, but general approaches include: 1. Reviewing WordPress database entries in the 'wp_posts' table for post type 'saswp' for suspicious script tags or unexpected content in meta fields. 2. Using WP-CLI to list and inspect schema posts: `wp post list --post_type=saswp` and `wp post meta get <post_id> saswp_custom_schema_field` to check for injected scripts. 3. Monitoring web server logs for POST requests to AJAX actions like `wp_ajax_saswp_import_all_settings_and_schema` or `wp_ajax_saswp_export_all_settings_and_schema` with unusual payloads. 4. Employing security plugins or WAFs that detect stored XSS patterns in WordPress content. Since no explicit detection commands are detailed in the resources, these general methods are recommended. [1, 3, 5]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps for CVE-2025-14069 include: 1. Update the 'Schema & Structured Data for WP & AMP' plugin to a version later than 1.54 where the vulnerability is fixed. 2. Restrict Contributor-level and higher user permissions to trusted users only, as the exploit requires authenticated users with these privileges. 3. Review and sanitize any existing schema data, especially the 'saswp_custom_schema_field', to remove any injected scripts. 4. Ensure that WordPress nonces and capability checks are properly enforced and that no unauthorized users can perform AJAX actions related to schema import/export or settings changes. 5. If immediate update is not possible, consider disabling the plugin temporarily or limiting access to its administrative functions. 6. Monitor logs for suspicious activity related to schema data manipulation. These steps are based on the plugin's reliance on nonce verification and capability checks, and the vulnerability arising from insufficient input sanitization and output escaping in schema fields. [1, 3, 5]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not explicitly discuss the impact of CVE-2025-14069 on compliance with common standards and regulations such as GDPR or HIPAA. However, since the vulnerability allows authenticated attackers with Contributor-level access to inject arbitrary scripts via stored cross-site scripting (XSS), it could potentially lead to unauthorized access or manipulation of user data, which may affect data protection and privacy compliance indirectly. No direct statements or analysis regarding compliance impact are present in the provided texts.