CVE-2025-14554
Unknown Unknown - Not Provided

Stored XSS in Sell BTC WordPress Plugin Allows Admin Session Hijack

Vulnerability report for CVE-2025-14554, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-31

Last updated on: 2026-01-31

Assigner: Wordfence

Description

The Sell BTC - Cryptocurrency Selling Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'orderform_data' AJAX action in all versions up to, and including, 1.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in order records that will execute whenever an administrator accesses the Orders page in the admin dashboard. The vulnerability was partially patched in version 1.5.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-31
Last Modified
2026-01-31
Generated
2026-07-06
AI Q&A
2026-01-31
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
hayyatapps sell_btc to 1.5 (inc)
hayyatapps sell_btc 1.6

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability in the Sell BTC - Cryptocurrency Selling Calculator WordPress plugin is a Stored Cross-Site Scripting (XSS) issue. It occurs via the 'orderform_data' AJAX action in versions up to and including 1.5 due to insufficient input sanitization and output escaping. This allows unauthenticated attackers to inject malicious scripts into order records, which then execute when an administrator views the Orders page in the admin dashboard. The vulnerability was partially fixed in version 1.5, with a more complete fix in version 1.6 that added output escaping to prevent XSS. [2, 3, 4]

Impact Analysis

This vulnerability can allow attackers to execute arbitrary scripts in the context of the WordPress admin dashboard when an administrator views the Orders page. This can lead to theft of administrator credentials, session hijacking, or unauthorized actions performed with administrator privileges. Since the attacker can inject scripts without authentication, it poses a significant security risk to the website's backend and potentially the entire WordPress installation. [2, 3, 4]

Detection Guidance

This vulnerability can be detected by checking if the WordPress site is running the Sell BTC plugin version 1.5 or earlier, as these versions are vulnerable to stored Cross-Site Scripting via the 'orderform_data' AJAX action. To detect exploitation attempts, monitor HTTP POST requests to the AJAX endpoint handling 'orderform_data' for suspicious or malicious script payloads. Additionally, inspecting the database table `happs_sellbtc_orders` for unexpected script tags or suspicious input in order records can help identify exploitation. Specific commands depend on your environment, but for example, you can use the following to search for suspicious scripts in the database (assuming access to MySQL): ```sql SELECT * FROM wp_happs_sellbtc_orders WHERE FirstName LIKE '%<script%' OR LastName LIKE '%<script%' OR Email LIKE '%<script%' OR CustomMessage LIKE '%<script%'; ``` For web server logs, you can grep for suspicious POST requests: ```bash grep 'orderform_data' /var/log/apache2/access.log | grep -i '<script>' ``` Or monitor AJAX requests to the plugin's backend for unusual payloads. Note that the vulnerability triggers when an administrator views the Orders page, so reviewing admin dashboard access logs for unusual activity may also help. Upgrading the plugin to version 1.6 or later, which includes output escaping fixes, is recommended to prevent exploitation. [2, 4, 5]

Mitigation Strategies

Immediate mitigation steps include: 1. Upgrade the Sell BTC plugin to version 1.6 or later, as this version includes security enhancements that properly escape output in the Orders page to prevent stored Cross-Site Scripting attacks. 2. If upgrading immediately is not possible, restrict access to the WordPress admin dashboard, especially the Orders page, to trusted administrators only. 3. Review and sanitize existing order records in the `happs_sellbtc_orders` database table to remove any malicious scripts. 4. Monitor and block suspicious AJAX requests targeting the 'orderform_data' action. 5. Consider applying web application firewall (WAF) rules to detect and block XSS payloads targeting this plugin. These steps will help prevent exploitation of the vulnerability until a full update can be applied. [3, 4, 6]

Compliance Impact

The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14554. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart