Attack Vectors
The vulnerability in Sell BTC – Cryptocurrency Selling Calculator (WordPress plugin slug: sell-btc-by-hayyatapps) is a High severity issue (CVSS 7.2) that can be exploited remotely over the internet without authentication. In practical terms, an attacker can submit malicious content through the plugin’s orderform_data AJAX action and have it stored in the site’s order records.
Because the injected content is stored, it does not rely on tricking a user into clicking a link. The malicious script is designed to run later—specifically when an administrator views the plugin’s Orders page inside the WordPress admin dashboard.
Security Weakness
CVE-2025-14554 is a Stored Cross-Site Scripting (Stored XSS) weakness caused by insufficient input sanitization and output escaping in versions up to and including 1.5 of the plugin. This means untrusted data can be saved into the database and later displayed to an administrator without being safely handled.
Although version 1.5 included a partial patch, the recommended remediation is to update to version 1.6 (or a newer patched version) to fully address the risk.
Technical or Business Impacts
For leadership and compliance teams, the primary risk is administrative session compromise. When an admin views the Orders page, the stored script may execute in the context of the trusted WordPress dashboard. That can enable actions that appear to come from a legitimate administrator, increasing the likelihood of unauthorized changes.
From a business standpoint, this can translate into website integrity and brand risk (unauthorized content changes), operational disruption (time spent investigating and restoring), and compliance exposure if administrative access is used to access or manipulate business data. Because the exploit does not require a login, it can be attempted at scale against exposed sites, raising the urgency for marketing and operations teams responsible for uptime and reputation.
Severity is rated High (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N), reflecting that it is network-exploitable, requires no privileges, and can affect data integrity and confidentiality in the admin context.
Similar Attacks
Stored XSS in web applications and content systems is a common route to administrative takeover and malicious site changes. Recent examples include:
CVE-2020-11022 (jQuery XSS) — widely relevant due to jQuery usage across websites
CVE-2025-14554 record (Sell BTC – Cryptocurrency Selling Calculator Stored XSS)
Recent Comments