{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14865", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-18T01:29:23.705Z", "datePublished": "2026-01-28T12:28:37.446Z", "dateUpdated": "2026-04-08T16:51:48.829Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:51:48.829Z"}, "affected": [{"vendor": "wpchill", "product": "Passster \u2013 Password Protect Pages and Content", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.2.24", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Passster \u2013 Password Protect Pages and Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'content_protector' shortcode in all versions up to, and including, 4.2.24. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 4.2.21."}], "title": "Passster \u2013 Password Protect Pages and Content <= 4.2.24 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4ea939f5-8b56-44be-bd20-b69e9ded5970?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/content-protector/tags/4.2.20/inc/class-ps-public.php#L136"}, {"url": "https://plugins.trac.wordpress.org/changeset/3422595/"}, {"url": "https://plugins.trac.wordpress.org/changeset/3439532/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2025-12-18T01:44:42.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-01-27T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-28T14:56:16.570698Z", "id": "CVE-2025-14865", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T14:56:32.212Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14865", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-28T14:56:16.570698Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T14:56:22.126Z"}}], "cna": {"title": "Passster \u2013 Password Protect Pages and Content <= 4.2.24 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "wpchill", "product": "Passster \u2013 Password Protect Pages and Content", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "4.2.24"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-18T01:44:42.000+00:00", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-01-27T00:00:00.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4ea939f5-8b56-44be-bd20-b69e9ded5970?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/content-protector/tags/4.2.20/inc/class-ps-public.php#L136"}, {"url": "https://plugins.trac.wordpress.org/changeset/3422595/"}, {"url": "https://plugins.trac.wordpress.org/changeset/3439532/"}], "descriptions": [{"lang": "en", "value": "The Passster \u2013 Password Protect Pages and Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'content_protector' shortcode in all versions up to, and including, 4.2.24. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 4.2.21."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-01-28T12:28:37.446Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14865", "state": "PUBLISHED", "dateUpdated": "2026-01-28T14:56:32.212Z", "dateReserved": "2025-12-18T01:29:23.705Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-28T12:28:37.446Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Passster \u2013 Password Protect Pages and Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'content_protector' shortcode in all versions up to, and including, 4.2.24. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 4.2.21."}, {"lang": "es", "value": "El plugin Passster \u2013 Password Protect Pages and Content para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s del shortcode 'content_protector' del plugin en todas las versiones hasta la 4.2.24, inclusive. Esto hace posible que atacantes autenticados, con acceso de nivel Colaborador y superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada. La vulnerabilidad fue parcheada parcialmente en la versi\u00f3n 4.2.21."}], "id": "CVE-2025-14865", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-28T13:15:52.930", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/content-protector/tags/4.2.20/inc/class-ps-public.php#L136"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3422595/"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3439532/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4ea939f5-8b56-44be-bd20-b69e9ded5970?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T16:08:09.455293+00:00", "value": {"mitigation_remediation": ["Upgrade Passster to the latest official release that removes the content_protector XSS flaw\u2014any version above 4.2.24.", "If an upgrade is not possible, restrict Contributor (and lower) roles from inserting the content_protector shortcode or configure a content\u2011sanitization plugin to strip outbound scripts from the shortcode output.", "For sites that cannot change roles or add additional plugins, locate all existing content_protector shortcodes in the database and delete or replace them with safe content, or remove the shortcode entirely from the editor using a code snippet or plugin that hides it from editors."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting that can be executed by authenticated Contributor+ users leading to arbitrary script execution"}, "threat_synthesis": {"affected_systems": "All versions of Passster released up to and including 4.2.24 are affected. The plugin is developed by WPChill and the vulnerability was partially addressed in release 4.2.21, but the issue remains present through 4.2.24. WordPress sites using these versions of the plugin should be checked for the presence of the content_protector shortcode and the extent of protected content.", "description_and_impact": "The Passster \u2013 Password Protect Pages and Content plugin contains a stored Cross\u2011Site Scripting flaw that is exploitable through its content_protector shortcode. The flaw allows an authenticated user with Contributor permission or higher to inject arbitrary JavaScript into a protected page. When any visitor loads the affected page the injected script runs in the visitor\u2019s browser, potentially enabling credential theft, session hijacking, or defacement. The weakness corresponds to CWE\u201179.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a moderate severity, and the EPSS score of less than 1% signals a low probability of immediate exploitation in the wild. The vulnerability requires authenticated access at the Contributor level, so an attacker must first gain or abuse such an account. Once the malicious code is stored, any user who visits the protected page becomes a victim, meaning that the impact can propagate to all site visitors. The plugin is not listed in CISA\u2019s KEV catalog, but administrators should treat the flaw with the same priority as commercial XSS flaws given the potential for abuse."}}}}, "created": "2026-01-29T09:18:03.424216+00:00", "updated": "2026-04-21T16:15:40.501680+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpchill", "wpchill$PRODUCT$passster"]}