Attack Vectors

Electric Enquiries (slug: electric-enquiries) versions <= 1.1 have a medium-severity Stored Cross-Site Scripting (XSS) issue (CVE-2025-14142, CVSS 6.4) that can be exploited by an authenticated user with Contributor-level access or higher.

The attack path is straightforward: an attacker (or a compromised contributor account) adds or edits content that uses the [electric-enquiry] shortcode and injects malicious script via the shortcode’s button attribute. Because it is stored, the script can execute later when any user views the affected page—without requiring the viewer to click anything.

For reference, the CVE record is available here: https://www.cve.org/CVERecord?id=CVE-2025-14142.

Security Weakness

This vulnerability is caused by insufficient input sanitization and output escaping of the button parameter in the Electric Enquiries shortcode. In practical terms, the plugin does not adequately prevent script content from being saved and later rendered in a way that a browser will execute.

The CVSS vector (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) highlights why business teams should care: it is remotely reachable over the network, requires only low privileges (Contributor+), does not require user interaction, and can cross security boundaries (scope change), increasing the potential impact across your WordPress environment.

Remediation note: no known patch is available at the time of reporting. Organizations should assess risk tolerance and consider uninstalling the affected plugin and replacing it. Source details: Wordfence vulnerability report.

Technical or Business Impacts

Brand and customer trust risk: Stored XSS can be used to alter on-page content, inject fraudulent messages, or display misleading calls-to-action on high-traffic pages—damaging credibility and potentially impacting conversion rates.

Account and data exposure risk: If scripts run in an authenticated user’s browser session (for example, a marketer, editor, or administrator), they can be used to capture session information or perform unauthorized actions on the user’s behalf—raising the risk of broader site compromise and unauthorized content changes.

Compliance and governance risk: Content injection and unauthorized changes can create audit and compliance concerns—especially if your website is used to collect enquiries, personal data, or supports regulated communications. Even a “medium” severity finding can be material if the affected pages are business-critical or frequently accessed by privileged staff.

Operational risk: With “no known patch available,” the risk can persist indefinitely unless mitigations are applied. Typical risk-reduction steps include: uninstalling and replacing Electric Enquiries; limiting Contributor access and reviewing who can publish or edit shortcode-enabled pages; auditing pages/posts for use of the [electric-enquiry] shortcode; and increasing monitoring for unexpected content changes.

Similar attacks (real examples): Stored XSS has repeatedly impacted WordPress plugins and site owners. Examples include vulnerabilities reported in Elementor (Wordfence report) and WP Statistics (Wordfence report), as well as Contact Form 7 issues documented by security researchers (WPScan plugin advisory page).