CVE-2025-14145
Unknown Unknown - Not Provided
Stored XSS in Niche Hero WordPress Plugin nh_row Shortcode

Publication date: 2026-01-07

Last updated on: 2026-01-07

Assigner: Wordfence

Description
The Niche Hero | Beautifully-designed blocks in seconds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'spacing' parameter of the nh_row shortcode in all versions up to, and including, 1.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-07
Last Modified
2026-01-07
Generated
2026-06-16
AI Q&A
2026-01-07
EPSS Evaluated
2026-06-15
NVD
CVE-2025-14145
EUVD
EUVD-2026-1302
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
the_niche_hero niche_hero to 1.0.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the Niche Hero WordPress plugin, specifically via the 'spacing' parameter of the nh_row shortcode. It occurs because the plugin does not properly sanitize or escape input, allowing authenticated users with Contributor-level access or higher to inject malicious scripts that execute when other users view the affected pages.

Impact Analysis

An attacker with Contributor-level access or above can inject malicious scripts into pages, which will execute in the browsers of users who view those pages. This can lead to unauthorized actions, data theft, session hijacking, or other malicious activities affecting site users.

Detection Guidance

This vulnerability can be detected by scanning for the presence of the Niche Hero WordPress plugin version 1.0.5 or earlier. Additionally, inspecting shortcode usage in WordPress posts or pages for the 'nh_row' shortcode with a 'spacing' parameter containing suspicious or script-like content may indicate exploitation attempts. Since the vulnerability involves stored Cross-Site Scripting via shortcode attributes, monitoring HTTP requests or page content for injected scripts related to the 'spacing' parameter or other shortcode attributes (like overlay_color, box_shadow_in_lead) can help detect exploitation. Specific commands could include using WP-CLI to list installed plugins and their versions, e.g., `wp plugin list | grep niche-hero`, and searching the WordPress database for shortcode usage with potentially malicious content, e.g., `wp db query "SELECT post_content FROM wp_posts WHERE post_content LIKE '%[nh_row%spacing=%'"`. Network-level detection could involve inspecting HTTP responses for unexpected inline scripts or styles injected via these shortcode attributes. [1, 2]

Mitigation Strategies

Immediate mitigation steps include updating the Niche Hero plugin to a version that patches this vulnerability if available. If no patch is available, temporarily disabling or uninstalling the plugin is recommended to prevent exploitation. Additionally, review and sanitize any existing shortcode usage in posts or pages to remove malicious or suspicious attributes, especially the 'spacing' parameter and other style-related attributes. Restrict Contributor-level and higher user permissions to trusted users only, as the vulnerability requires authenticated users with Contributor access or above to exploit. Implement Web Application Firewall (WAF) rules to block attempts to inject scripts via shortcode parameters. Finally, monitor logs and site content for signs of exploitation and remove any injected malicious scripts. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14145. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart