CVE-2025-14865 in Passster Plugin
Summary
by MITRE • 01/28/2026
The Passster – Password Protect Pages and Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'content_protector' shortcode in all versions up to, and including, 4.2.24. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 4.2.21.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 01/29/2026
The Passster plugin for WordPress presents a critical stored cross-site scripting vulnerability that affects versions up to and including 4.2.24. This vulnerability specifically targets the plugin's 'content_protector' shortcode functionality, creating a persistent security weakness that can be exploited by authenticated attackers. The flaw resides in how the plugin processes and renders user input through the shortcode mechanism, allowing malicious code injection that persists in the database and executes whenever affected pages are accessed. The vulnerability impacts all user roles with Contributor-level access and above, significantly expanding the potential attack surface since contributors typically have the ability to create and edit posts and pages within WordPress installations. This represents a serious compromise of the WordPress security model where users with relatively low privileges can introduce malicious payloads that affect all visitors to the compromised pages.
The technical exploitation of this vulnerability follows a standard stored XSS attack pattern where malicious input is first stored in the WordPress database through the content_protector shortcode functionality. When legitimate users access pages containing the injected malicious code, the script executes in their browsers within the context of the vulnerable website, potentially leading to session hijacking, credential theft, or further exploitation. The partial patch implemented in version 4.2.21 suggests that the developers recognized the vulnerability but may have failed to address all injection vectors, leaving the system still susceptible to similar attacks. This incomplete remediation highlights the complexity of XSS vulnerabilities in content management systems where multiple input points and rendering contexts must be considered. The vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws, and represents a classic example of how web application developers must properly sanitize and escape all user-provided content before storing or rendering it.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to perform various malicious activities that compromise the integrity and confidentiality of the WordPress installation. An attacker with contributor privileges can inject scripts that steal cookies, redirect users to malicious sites, or even modify content in ways that persist across multiple user sessions. The persistent nature of stored XSS makes this vulnerability particularly dangerous because the injected code remains active until manually removed from the database, potentially affecting thousands of users over extended periods. This vulnerability can be leveraged as a stepping stone for more sophisticated attacks, including privilege escalation or lateral movement within the WordPress environment. The impact is further amplified in multi-user environments where contributors may not be properly monitored or restricted, creating opportunities for insider threats or compromised accounts to exploit this weakness.
Organizations should prioritize immediate remediation of this vulnerability by upgrading to the latest version of the Passster plugin where the XSS flaw has been fully addressed. System administrators should also implement additional monitoring for suspicious shortcode usage and content modifications, particularly for users with contributor-level access. The mitigation strategy should include regular security audits of WordPress plugins, ensuring that all third-party components are kept up to date with the latest security patches. Network-level protections such as web application firewalls can provide additional defense-in-depth, though they should not be relied upon as the sole protection mechanism. Security teams should also consider implementing content security policies that limit the execution of inline scripts and restrict the sources from which scripts can be loaded. Regular penetration testing and vulnerability assessments should include verification of plugin security, particularly for authentication bypass and privilege escalation vulnerabilities that could allow attackers to gain higher levels of access within the WordPress environment.