{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14792", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-16T16:18:36.518Z", "datePublished": "2026-01-07T07:17:34.898Z", "dateUpdated": "2026-04-08T17:33:10.803Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:33:10.803Z"}, "affected": [{"vendor": "audrasjb", "product": "Key Figures", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Key Figures plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the kf_field_figure_default_color_render function in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "title": "Key Figures <= 1.1 - Authenticated (Admin+) Stored Cross-Site Scripting via kf_field_figure_default_color_render", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f4943899-a25a-4e50-b33e-139ed5e8f748?source=cve"}, {"url": "http://plugins.trac.wordpress.org/browser/key-figures/tags/1.1/admin/kf-admin.php#L201"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)", "cweId": "CWE-80", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Afnaan"}], "timeline": [{"time": "2025-12-14T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-01-06T18:36:44.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-07T14:49:34.393182Z", "id": "CVE-2025-14792", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-07T16:13:04.543Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14792", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-07T14:49:34.393182Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-07T14:50:00.787Z"}}], "cna": {"title": "Key Figures <= 1.1 - Authenticated (Admin+) Stored Cross-Site Scripting via kf_field_figure_default_color_render", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Afnaan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "audrasjb", "product": "Key Figures", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-14T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2026-01-06T18:36:44.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f4943899-a25a-4e50-b33e-139ed5e8f748?source=cve"}, {"url": "http://plugins.trac.wordpress.org/browser/key-figures/tags/1.1/admin/kf-admin.php#L201"}], "descriptions": [{"lang": "en", "value": "The Key Figures plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the kf_field_figure_default_color_render function in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-80", "description": "CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:33:10.803Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14792", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:33:10.803Z", "dateReserved": "2025-12-16T16:18:36.518Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-07T07:17:34.898Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Key Figures plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the kf_field_figure_default_color_render function in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "id": "CVE-2025-14792", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-07T12:16:56.177", "references": [{"source": "security@wordfence.com", "url": "http://plugins.trac.wordpress.org/browser/key-figures/tags/1.1/admin/kf-admin.php#L201"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f4943899-a25a-4e50-b33e-139ed5e8f748?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-80"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T21:17:04.584918+00:00", "value": {"mitigation_remediation": ["Upgrade the Key Figures plugin to a release newer than 1.1 that contains the XSS fix.", "Disable unfiltered_html for administrators on multisite installations or configure it to allow only trusted accounts.", "Delete or sanitize any figure entries that contain suspicious or script\u2011based default color values.", "Regularly audit plugin configuration files and perform vulnerability scanning to detect residual XSS content."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross-Site Scripting"}, "threat_synthesis": {"affected_systems": "All installations of the Key Figures plugin up to and including version 1.1 are affected when used on a multi\u2011site WordPress network or when the unfiltered_html capability has been disabled. The issue is limited to WordPress environments that deploy this plugin in those specific configurations.", "description_and_impact": "The Key Figures WordPress plugin contains a Stored Cross-Site Scripting flaw that allows an authenticated administrator to inject arbitrary JavaScript via the kf_field_figure_default_color_render function. Because the plugin does not properly sanitize or escape user input, the injected script will run in the browser of any user who views a page that contains the malicious figure value, enabling the attacker to steal session data, deface content or potentially redirect users to malicious sites. This vulnerability exposes the confidentiality and integrity of site data to any authenticated user with administrative privileges.", "risk_and_exploitability": "The CVSS score of 4.4 places the flaw in the moderate range, while the EPSS score of less than 1% indicates a low likelihood of exploitation at this time. The vulnerability is not currently listed in the CISA KEV catalog. In practice, an attacker would need access to an administrator account in the affected WordPress network to execute the stored payload, implying that credential compromise or social engineering could be the primary exploitation path."}}}}, "created": "2026-01-08T09:49:27.117156+00:00", "updated": "2026-04-20T21:30:18.563239+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}