CVE-2025-14145
Stored XSS in Niche Hero WordPress Plugin nh_row Shortcode
Publication date: 2026-01-07
Last updated on: 2026-01-07
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| the_niche_hero | niche_hero | to 1.0.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the Niche Hero WordPress plugin, specifically via the 'spacing' parameter of the nh_row shortcode. It occurs because the plugin does not properly sanitize or escape input, allowing authenticated users with Contributor-level access or higher to inject malicious scripts that execute when other users view the affected pages.
How can this vulnerability impact me? :
An attacker with Contributor-level access or above can inject malicious scripts into pages, which will execute in the browsers of users who view those pages. This can lead to unauthorized actions, data theft, session hijacking, or other malicious activities affecting site users.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by scanning for the presence of the Niche Hero WordPress plugin version 1.0.5 or earlier. Additionally, inspecting shortcode usage in WordPress posts or pages for the 'nh_row' shortcode with a 'spacing' parameter containing suspicious or script-like content may indicate exploitation attempts. Since the vulnerability involves stored Cross-Site Scripting via shortcode attributes, monitoring HTTP requests or page content for injected scripts related to the 'spacing' parameter or other shortcode attributes (like overlay_color, box_shadow_in_lead) can help detect exploitation. Specific commands could include using WP-CLI to list installed plugins and their versions, e.g., `wp plugin list | grep niche-hero`, and searching the WordPress database for shortcode usage with potentially malicious content, e.g., `wp db query "SELECT post_content FROM wp_posts WHERE post_content LIKE '%[nh_row%spacing=%'"`. Network-level detection could involve inspecting HTTP responses for unexpected inline scripts or styles injected via these shortcode attributes. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Niche Hero plugin to a version that patches this vulnerability if available. If no patch is available, temporarily disabling or uninstalling the plugin is recommended to prevent exploitation. Additionally, review and sanitize any existing shortcode usage in posts or pages to remove malicious or suspicious attributes, especially the 'spacing' parameter and other style-related attributes. Restrict Contributor-level and higher user permissions to trusted users only, as the vulnerability requires authenticated users with Contributor access or above to exploit. Implement Web Application Firewall (WAF) rules to block attempts to inject scripts via shortcode parameters. Finally, monitor logs and site content for signs of exploitation and remove any injected malicious scripts. [1, 2]