{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14030", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-04T14:34:19.986Z", "datePublished": "2025-12-12T11:15:51.633Z", "dateUpdated": "2026-04-08T17:25:31.972Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:25:31.972Z"}, "affected": [{"vendor": "soportecibeles", "product": "AI Feeds", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.22", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The AI Feeds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'aife_post_meta' shortcode in all versions up to, and including, 1.0.22 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "AI Feeds <= 1.0.22 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'aife_post_meta' Shortcode", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d33721e2-0a90-4102-84d5-2633c0fd47ed?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ai-feeds/trunk/includes/functions.php#L58"}, {"url": "https://plugins.trac.wordpress.org/browser/ai-feeds/tags/1.0.12/includes/functions.php#L58"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3417124%40ai-feeds&new=3417124%40ai-feeds&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "timeline": [{"time": "2025-12-04T14:49:29.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-12-11T21:24:12.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-12T14:31:41.282026Z", "id": "CVE-2025-14030", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-12T14:31:53.631Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14030", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-12T14:31:41.282026Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-12T14:31:47.193Z"}}], "cna": {"title": "AI Feeds <= 1.0.22 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'aife_post_meta' Shortcode", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "soportecibeles", "product": "AI Feeds", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.0.22"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-04T14:49:29.000+00:00", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-12-11T21:24:12.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d33721e2-0a90-4102-84d5-2633c0fd47ed?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ai-feeds/trunk/includes/functions.php#L58"}, {"url": "https://plugins.trac.wordpress.org/browser/ai-feeds/tags/1.0.12/includes/functions.php#L58"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3417124%40ai-feeds&new=3417124%40ai-feeds&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The AI Feeds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'aife_post_meta' shortcode in all versions up to, and including, 1.0.22 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-12-12T11:15:51.633Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14030", "state": "PUBLISHED", "dateUpdated": "2025-12-12T14:31:53.631Z", "dateReserved": "2025-12-04T14:34:19.986Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-12T11:15:51.633Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The AI Feeds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'aife_post_meta' shortcode in all versions up to, and including, 1.0.22 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-14030", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-12T12:15:45.897", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ai-feeds/tags/1.0.12/includes/functions.php#L58"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ai-feeds/trunk/includes/functions.php#L58"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3417124%40ai-feeds&new=3417124%40ai-feeds&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d33721e2-0a90-4102-84d5-2633c0fd47ed?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T21:27:18.365376+00:00", "value": {"mitigation_remediation": ["Upgrade the AI Feeds plugin to a version newer than 1.0.22, which contains the missing input sanitization and output escaping. ", "Restrict the Contributor role or any role that can edit posts to only trusted users, thereby limiting the pool of attackers who can inject the malicious payload. ", "If an upgrade is not immediately possible, disable the problematic shortcode by removing it from posts or by using a plugin that sanitizes shortcode content before rendering."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "All installations of AI Feeds version 1.0.22 or earlier are affected. The plugin is distributed by Soportecibeles and can be run on any WordPress site that includes this version of the plugin.", "description_and_impact": "The AI Feeds plugin for WordPress contains a stored cross\u2011site scripting flaw in the 'aife_post_meta' shortcode. Viewers of pages that use this shortcode can be presented with malicious script code when a contributor or higher\u2011privileged user injects a payload. This flaw arises from inadequate input sanitization and output escaping, allowing the attacker to execute arbitrary client\u2011side code in the context of other site visitors, potentially leading to session hijacking, defacement, or phishing.", "risk_and_exploitability": "The vulnerability is rated CVSS 6.4, indicating moderate severity. EPSS is less than 1%, suggesting a low probability of exploitation at the time of assessment, and the flaw is not listed in CISA\u2019s KEV catalog. However, because it is a stored XSS that requires authenticated Contributor\u2011level access, attackers who can obtain that permission could easily inject and persist malicious scripts that will run for all visitors of affected pages. Successful exploitation could compromise user accounts and the integrity of the site\u2019s content."}}}}, "created": "2025-12-14T21:16:35.500880+00:00", "updated": "2026-04-20T21:30:18.591708+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}