CVE-2025-14554

Vulnerability

The Sell BTC – Cryptocurrency Selling Calculator plugin for WordPress (versions up to and including 1.5) is vulnerable to Stored Cross-Site Scripting (XSS) via the orderform_data AJAX action. The HAPPS_ORDER_FORM_ADD function in functions/form_tab.php [1] inserts user-supplied data from the order form directly into the database without sanitization, using only trim(). When an administrator views the Orders page (Pages/orders.php), the plugin outputs these fields with esc_attr() but does not escape for HTML context, allowing arbitrary HTML and script injection [2].

Exploitation

An unauthenticated attacker can submit a crafted order via the plugin’s order form, injecting malicious JavaScript into any of the input fields (e.g., happs-FirstName, happs-CustomMessage). No authentication or special privileges are required to submit the form. The injected payload is stored in the happs_sellbtc_orders table and executed automatically when a site administrator views the Orders page in the WordPress admin dashboard.

Impact

Successful exploitation allows an unauthenticated attacker to execute arbitrary JavaScript in the context of the administrator’s browser session. This can lead to session hijacking, administrative actions (e.g., user creation, plugin modification), or defacement. The impact escalates to full site compromise if the administrator has elevated privileges.

Mitigation

The vendor released a partial fix in version 1.5, but according to the description, that version does not fully resolve the issue. The recommendation is to apply proper output escaping (e.g., esc_html() instead of esc_attr()) and input validation. As of this writing, no fully patched version is confirmed. Users should disable the plugin until a complete fix is available.