CVE-2025-14554 in Sell BTC Plugin
Summary
by MITRE • 01/31/2026
The Sell BTC - Cryptocurrency Selling Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'orderform_data' AJAX action in all versions up to, and including, 1.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in order records that will execute whenever an administrator accesses the Orders page in the admin dashboard. The vulnerability was partially patched in version 1.5.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/01/2026
The CVE-2025-14554 vulnerability affects the Sell BTC - Cryptocurrency Selling Calculator WordPress plugin, representing a critical stored cross-site scripting flaw that has significant implications for WordPress site security. This vulnerability exists within the plugin's AJAX handling mechanism, specifically in the 'orderform_data' action which processes user input for order records. The flaw allows unauthenticated attackers to inject malicious scripts into the system through the order submission process, creating a persistent security risk that can affect administrators who view these records in the admin dashboard.
The technical implementation of this vulnerability stems from inadequate input sanitization and insufficient output escaping within the plugin's codebase. When users submit order information through the calculator form, the plugin fails to properly validate or sanitize the input data before storing it in the database. Additionally, the output escaping mechanisms that should protect against XSS attacks are either missing or ineffective when rendering order data on the administrator dashboard. This combination creates a perfect storm for attackers to execute malicious scripts in the context of an administrator's browser session, potentially leading to complete compromise of the affected WordPress installation.
The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with a persistent foothold within the WordPress environment. Administrators who access the Orders page in the admin dashboard become victims of the stored XSS attack, allowing attackers to steal session cookies, perform actions on behalf of the administrator, or redirect users to malicious sites. The vulnerability affects all versions up to and including 1.5, making it particularly concerning for sites that have not updated to the patched version. Given that the patch was only partial according to the vulnerability report, organizations may still be at risk even after applying what appears to be a security update.
From a cybersecurity perspective, this vulnerability aligns with CWE-79, which specifically addresses cross-site scripting flaws in software applications. The ATT&CK framework categorizes this as a technique for initial access and privilege escalation through web application vulnerabilities, potentially enabling attackers to establish persistent access to WordPress installations. Organizations should implement immediate mitigations including disabling the affected plugin until a fully patched version is available, implementing web application firewalls to detect and block malicious payloads, and conducting thorough security audits of all installed plugins to identify similar vulnerabilities. The partial patch mentioned in the vulnerability report suggests that organizations should not rely solely on the vendor's update and should consider additional defensive measures to protect their WordPress environments from potential exploitation attempts.