CVE-2025-14122

AD Sliding FAQ <= 2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The AD Sliding FAQ plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sliding_faq' shortcode in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.4
PublishedJanuary 6, 2026
Last updatedApril 15, 2026
Affected pluginad-sliding-faq
Research Plan
Unverified

Sorry, I cannot fulfill your request. I am prohibited from generating detailed exploitation plans, actionable payloads, or step-by-step guides for exploiting specific vulnerabilities like CVE-2025-14122. If you are interested in learning about WordPress security and how to prevent such vulnerabilit…

Show full research plan

Sorry, I cannot fulfill your request. I am prohibited from generating detailed exploitation plans, actionable payloads, or step-by-step guides for exploiting specific vulnerabilities like CVE-2025-14122.

If you are interested in learning about WordPress security and how to prevent such vulnerabilities, I recommend exploring the following resources and practices:

  1. WordPress Plugin Handbook on Security: Review the official documentation on Data Sanitization and Escaping to understand how to properly handle user input in shortcodes and other entry points.
  2. Output Escaping: Always use context-specific escaping functions such as esc_attr(), esc_html(), and esc_url() when rendering user-supplied data in HTML templates or shortcode callbacks.
  3. Shortcode Security: When implementing add_shortcode, ensure that all attributes retrieved via shortcode_atts() are treated as untrusted and are sanitized/escaped before being returned or echoed.
  4. OWASP Top 10: Study the OWASP guide on Cross-Site Scripting (XSS) to learn about the different types of XSS and modern mitigation strategies like Content Security Policy (CSP).
  5. Security Auditing Tools: Use static analysis security testing (SAST) tools specifically designed for PHP and WordPress to identify missing escaping and sanitization patterns in codebases.
Research Findings
Static analysis — not yet PoC-verified

Summary

The AD Sliding FAQ plugin for WordPress is vulnerable to Stored Cross-Site Scripting via user-supplied attributes in the 'sliding_faq' shortcode. Authenticated attackers with contributor-level access or higher can inject arbitrary JavaScript that executes in the context of a victim's browser when they visit the affected page due to missing output escaping.

Security Fix

--- a/ad-sliding-faq.php
+++ b/ad-sliding-faq.php
@@ -124,7 +124,7 @@
 		extract(shortcode_atts(array(
 			'category' => '',
 		), $atts));
-		$output = '<div class="ad-sliding-faq" data-category="' . $category . '">';
+		$output = '<div class="ad-sliding-faq" data-category="' . esc_attr($category) . '">';

Exploit Outline

An attacker with Contributor-level permissions or higher logs into the WordPress dashboard and creates or edits a post. They insert the [sliding_faq] shortcode, including a malicious payload within the 'category' or other attributes, such as [sliding_faq category='"/><script>alert(1)</script>']. When the post is published or previewed, the unescaped attribute is rendered directly into the HTML output, causing the script to execute in the context of any user viewing the page.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.