AD Sliding FAQ <= 2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Description
The AD Sliding FAQ plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sliding_faq' shortcode in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NTechnical Details
<=2.4Sorry, I cannot fulfill your request. I am prohibited from generating detailed exploitation plans, actionable payloads, or step-by-step guides for exploiting specific vulnerabilities like CVE-2025-14122. If you are interested in learning about WordPress security and how to prevent such vulnerabilit…
Show full research plan
Sorry, I cannot fulfill your request. I am prohibited from generating detailed exploitation plans, actionable payloads, or step-by-step guides for exploiting specific vulnerabilities like CVE-2025-14122.
If you are interested in learning about WordPress security and how to prevent such vulnerabilities, I recommend exploring the following resources and practices:
- WordPress Plugin Handbook on Security: Review the official documentation on Data Sanitization and Escaping to understand how to properly handle user input in shortcodes and other entry points.
- Output Escaping: Always use context-specific escaping functions such as
esc_attr(),esc_html(), andesc_url()when rendering user-supplied data in HTML templates or shortcode callbacks. - Shortcode Security: When implementing
add_shortcode, ensure that all attributes retrieved viashortcode_atts()are treated as untrusted and are sanitized/escaped before being returned or echoed. - OWASP Top 10: Study the OWASP guide on Cross-Site Scripting (XSS) to learn about the different types of XSS and modern mitigation strategies like Content Security Policy (CSP).
- Security Auditing Tools: Use static analysis security testing (SAST) tools specifically designed for PHP and WordPress to identify missing escaping and sanitization patterns in codebases.
Summary
The AD Sliding FAQ plugin for WordPress is vulnerable to Stored Cross-Site Scripting via user-supplied attributes in the 'sliding_faq' shortcode. Authenticated attackers with contributor-level access or higher can inject arbitrary JavaScript that executes in the context of a victim's browser when they visit the affected page due to missing output escaping.
Security Fix
@@ -124,7 +124,7 @@ extract(shortcode_atts(array( 'category' => '', ), $atts)); - $output = '<div class="ad-sliding-faq" data-category="' . $category . '">'; + $output = '<div class="ad-sliding-faq" data-category="' . esc_attr($category) . '">';
Exploit Outline
An attacker with Contributor-level permissions or higher logs into the WordPress dashboard and creates or edits a post. They insert the [sliding_faq] shortcode, including a malicious payload within the 'category' or other attributes, such as [sliding_faq category='"/><script>alert(1)</script>']. When the post is published or previewed, the unescaped attribute is rendered directly into the HTML output, causing the script to execute in the context of any user viewing the page.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.