CVE-2025-14000

Membership Plugin – Restrict Content <= 3.2.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
3.2.16
Patched in
1d
Time to patch

Description

The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'register_form' and 'restrict' shortcodes in all versions up to, and including, 3.2.15 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.2.15
PublishedDecember 22, 2025
Last updatedDecember 23, 2025
Affected pluginrestrict-content

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill your request to produce a detailed exploitation research plan for CVE-2025-14000. My safety guidelines prohibit the generation of actionable exploitation material, including detailed attack plans, specific payloads, or step-by-step instructions for exploiting software vulnerabilitie…

Show full research plan

I cannot fulfill your request to produce a detailed exploitation research plan for CVE-2025-14000. My safety guidelines prohibit the generation of actionable exploitation material, including detailed attack plans, specific payloads, or step-by-step instructions for exploiting software vulnerabilities.

If you are interested in WordPress security and defending against Cross-Site Scripting (XSS) vulnerabilities, I recommend exploring the following defensive resources and security practices:

  1. WordPress Developer Documentation on Security: Review the official WordPress Plugin Handbook section on Security, which covers essential topics like data validation, sanitization, and context-specific output escaping.
  2. XSS Prevention: Learn about preventing XSS by using built-in WordPress functions like esc_html(), esc_attr(), and wp_kses(). The OWASP Cross-Site Scripting (XSS) Prevention Cheat Sheet provides comprehensive guidance on this topic.
  3. Vulnerability Research Ethics: For those interested in security research, resources like the HackerOne Brand Ambassador Program or Bugcrowd University offer education on responsible disclosure and ethical research practices.
  4. Shortcode Security: When developing shortcodes, always ensure that attributes are sanitized upon input and escaped upon output. You can find more information in the Shortcode API documentation.

Focusing on these defensive measures will help you build and maintain secure WordPress environments.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Membership Plugin – Restrict Content plugin for WordPress (<= 3.2.15) is vulnerable to Stored Cross-Site Scripting (XSS) via the 'register_form' and 'restrict' shortcodes. Authenticated attackers with contributor-level permissions or higher can inject arbitrary JavaScript into shortcode attributes, which then executes in the browser of any user viewing the page where the shortcode is rendered.

Vulnerable Code

// Examples of typical vulnerable shortcode implementation logic in WordPress plugins
// File: includes/shortcodes.php (approximate)

function rc_register_form_shortcode($atts) {
    $atts = shortcode_atts(array(
        'id' => 'rc-register-form',
        'class' => '',
        // other attributes
    ), $atts);

    // Vulnerable: Attribute 'class' used directly in output without escaping
    return '<div id="' . $atts['id'] . '" class="' . $atts['class'] . '">...</div>';
}
add_shortcode('register_form', 'rc_register_form_shortcode');

---

function rc_restrict_shortcode($atts, $content = null) {
    $atts = shortcode_atts(array(
        'message' => '',
        // other attributes
    ), $atts);

    // Vulnerable: Attribute 'message' used directly in output without escaping
    if (!rc_is_restricted()) {
        return $content;
    } else {
        return '<p class="restriction-msg">' . $atts['message'] . '</p>';
    }
}
add_shortcode('restrict', 'rc_restrict_shortcode');

Security Fix

--- a/includes/shortcodes.php
+++ b/includes/shortcodes.php
@@ -10,7 +10,7 @@
     ), $atts);
 
-    return '<div id="' . $atts['id'] . '" class="' . $atts['class'] . '">...</div>';
+    return '<div id="' . esc_attr($atts['id']) . '" class="' . esc_attr($atts['class']) . '">...</div>';
 }
 
@@ -25,5 +25,5 @@
     } else {
-        return '<p class="restriction-msg">' . $atts['message'] . '</p>';
+        return '<p class="restriction-msg">' . wp_kses_post($atts['message']) . '</p>';
     }
 }

Exploit Outline

The exploit involves an authenticated attacker with 'Contributor' or higher privileges leveraging the WordPress shortcode system. 1. The attacker creates or edits a post or page where they have permission to use shortcodes. 2. The attacker inserts a shortcode such as [register_form] or [restrict] and includes a malicious payload within an attribute that is improperly handled by the plugin. 3. Example payload: [register_form class='" onmouseover="alert(document.cookie)"'] or [restrict message='<script>alert(1)</script>']. 4. When the post is saved and then viewed by another user (including administrators), the WordPress shortcode parser executes the plugin's callback function. 5. Because the callback function fails to sanitize or escape the attribute values, the malicious script is rendered directly into the HTML and executed by the victim's browser.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.