CVE-2025-14030 in AI Feeds Plugin
Summary
by MITRE • 12/12/2025
The AI Feeds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'aife_post_meta' shortcode in all versions up to, and including, 1.0.22 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 12/12/2025
The vulnerability identified as CVE-2025-14030 affects the AI Feeds plugin for WordPress, specifically targeting versions up to and including 1.0.22. This represents a critical security flaw that undermines the integrity of WordPress installations by enabling malicious actors with relatively low privileges to execute persistent cross-site scripting attacks. The vulnerability manifests through the 'aife_post_meta' shortcode, which serves as an entry point for attackers to inject malicious code into the system.
The technical root cause of this vulnerability stems from inadequate input sanitization and insufficient output escaping mechanisms within the plugin's codebase. When authenticated users with Contributor-level access or higher submit content through the affected shortcode, the plugin fails to properly validate or sanitize the input data before processing it for display. This lack of proper data sanitization creates an environment where malicious scripts can be stored within the WordPress database and subsequently executed whenever legitimate users access pages containing the injected content.
The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with a persistent foothold within the WordPress environment. Since the vulnerability affects users with Contributor-level access, it represents a significant risk to sites where multiple users have varying levels of administrative privileges. The stored nature of the XSS attack means that once malicious code is injected, it will execute automatically whenever any user accesses the affected pages, potentially leading to session hijacking, data exfiltration, or further compromise of the WordPress installation.
This vulnerability aligns with CWE-79, which specifically addresses Cross-Site Scripting flaws in software applications. The issue also maps to ATT&CK technique T1566.001, which covers social engineering through spearphishing attachments, as attackers could leverage this vulnerability to deliver malicious payloads that exploit user trust. The attack vector requires minimal privileges, making it particularly dangerous as it can be exploited by users who normally have limited access to system resources but can still manipulate content within the WordPress environment.
Organizations affected by this vulnerability should immediately implement mitigation strategies including updating to the latest version of the AI Feeds plugin where the XSS vulnerability has been addressed. Administrators should also consider implementing additional security measures such as role-based access controls to limit the scope of users who can submit content through the affected shortcode. Regular security audits of WordPress plugins and themes should be conducted to identify similar vulnerabilities that could compromise the overall security posture of the platform.