{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14048", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-04T16:52:11.423Z", "datePublished": "2025-12-12T03:20:42.443Z", "dateUpdated": "2026-04-08T16:44:12.011Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:44:12.011Z"}, "affected": [{"vendor": "jonahsc", "product": "SimplyConvert", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The SimplyConvert plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'simplyconvert_hash' option in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "SimplyConvert <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'simplyconvert_hash' Option", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2d720466-e470-46a3-8129-3e58e1928f0d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/simplyconvert/trunk/simplyconvert.php#L137"}, {"url": "https://plugins.trac.wordpress.org/browser/simplyconvert/tags/1.0/simplyconvert.php#L137"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Bhumividh Treloges"}], "timeline": [{"time": "2025-12-11T14:21:52.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-15T18:07:25.379034Z", "id": "CVE-2025-14048", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T18:16:28.116Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14048", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-15T18:07:25.379034Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T18:07:27.850Z"}}], "cna": {"title": "SimplyConvert <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'simplyconvert_hash' Option", "credits": [{"lang": "en", "type": "finder", "value": "Bhumividh Treloges"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "jonahsc", "product": "SimplyConvert", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-11T14:21:52.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2d720466-e470-46a3-8129-3e58e1928f0d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/simplyconvert/trunk/simplyconvert.php#L137"}, {"url": "https://plugins.trac.wordpress.org/browser/simplyconvert/tags/1.0/simplyconvert.php#L137"}], "descriptions": [{"lang": "en", "value": "The SimplyConvert plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'simplyconvert_hash' option in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-12-12T03:20:42.443Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14048", "state": "PUBLISHED", "dateUpdated": "2025-12-15T18:16:28.116Z", "dateReserved": "2025-12-04T16:52:11.423Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-12T03:20:42.443Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The SimplyConvert plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'simplyconvert_hash' option in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-14048", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-12T04:15:46.730", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/simplyconvert/tags/1.0/simplyconvert.php#L137"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/simplyconvert/trunk/simplyconvert.php#L137"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2d720466-e470-46a3-8129-3e58e1928f0d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T16:14:10.563478+00:00", "value": {"mitigation_remediation": ["Upgrade the SimplyConvert plugin to the latest available version or uninstall the plugin if an upgrade is not available.", "Limit administrator privileges to a trusted set of users and consider disabling or removing the simplyconvert_hash option to eliminate the injection vector.", "Implement a Web Application Firewall or enforce a strict Content Security Policy that blocks or sanitizes injected scripts on the site to mitigate the impact of the stored XSS attack."], "summary": {"action": "Apply Plugin Update", "impact": "Stored Cross\u2011Site Scripting (XSS) that can be executed by other users when an administrator chooses a malicious value for the simplyconvert_hash option in the SimplyConvert WordPress plugin."}, "threat_synthesis": {"affected_systems": "All instances of the SimplyConvert plugin by jonahsc for WordPress with versions up to and including 1.0 are affected. The flaw exists in the plugin\u2019s option handling and does not rely on specific WordPress core versions beyond the normal plugin compatibility.", "description_and_impact": "The vulnerability arises from insufficient sanitization and output escaping of the simplyconvert_hash option within the SimplyConvert plugin for WordPress. An attacker who can log in with administrator privileges can submit a crafted value for this option, which is then stored and rendered on pages that reference the option. When a user visits such a page, the injected script runs in the browser, potentially allowing the attacker to steal credentials, inject malware, or deface the site. The impact is confined to browsers that load the affected page and requires the attacker to possess administrator access to the site.", "risk_and_exploitability": "The CVSS score of 4.4 indicates low severity, and the EPSS score of less than 1% suggests that exploitation is unlikely at the macro scale, especially since the attacker must obtain administrator privileges on the target WordPress installation. The vulnerability is not listed in the CISA KEV catalog, further reducing the immediacy of a known widespread exploit. Nonetheless, sites with compromised or weakly protected administrator accounts remain at risk of XSS-mediated attacks that can affect authenticated users."}}}}, "created": "2025-12-12T08:48:26.454693+00:00", "updated": "2026-04-22T16:15:21.794361+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}