CVE-2025-14554

Published Jan 31, 2026

Last updated 7 days ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-14554 describes a Stored Cross-Site Scripting (XSS) vulnerability found in the "Sell BTC - Cryptocurrency Selling Calculator" plugin for WordPress. This flaw affects all versions of the plugin up to and including 1.5. The vulnerability stems from inadequate input sanitization and output escaping within the 'orderform_data' AJAX action. Exploitation of this vulnerability allows unauthenticated attackers to inject arbitrary web scripts into order records. These malicious scripts are then executed whenever an administrator accesses the Orders page within the WordPress admin dashboard. A partial patch for this issue was released in version 1.5 of the plugin.

Description: The Sell BTC - Cryptocurrency Selling Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'orderform_data' AJAX action in all versions up to, and including, 1.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in order records that will execute whenever an administrator accesses the Orders page in the admin dashboard. The vulnerability was partially patched in version 1.5.
Source: security@wordfence.com
NVD status: Awaiting Analysis

Risk scores

CVSS 3.1

Type: Primary
Base score: 7.2
Impact score: 2.7
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Severity: HIGH

Weaknesses

security@wordfence.com: CWE-79

Hype score: Not currently trending

References