CVE-2025-14554
📋 TL;DR
This stored XSS vulnerability in the Sell BTC WordPress plugin allows unauthenticated attackers to inject malicious scripts into order records. When administrators view the Orders page in the WordPress dashboard, these scripts execute in their browser session. All WordPress sites using this plugin up to version 1.5 are affected.
💻 Affected Systems
- Sell BTC - Cryptocurrency Selling Calculator WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Administrator account compromise leading to full WordPress site takeover, data theft, or malware distribution to site visitors.
Likely Case
Session hijacking of administrator accounts, defacement of admin pages, or theft of sensitive order data.
If Mitigated
Limited impact with proper CSP headers and admin session security, though XSS payloads could still execute.
🎯 Exploit Status
Exploitation requires crafting malicious order data via the 'orderform_data' AJAX endpoint. The vulnerability is partially patched in version 1.5, suggesting ongoing security issues.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 1.5 (check WordPress plugin repository for latest)
Vendor Advisory: https://plugins.trac.wordpress.org/browser/sell-btc-by-hayyatapps/
Restart Required: No
Instructions:
1. Log into WordPress admin dashboard. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Sell BTC - Cryptocurrency Selling Calculator'. 4. Click 'Update Now' if available. 5. If no update appears, manually download latest version from WordPress plugin repository and replace files.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
linuxTemporarily block access to the vulnerable 'orderform_data' AJAX action via .htaccess or web server configuration.
# Add to .htaccess: RewriteRule ^wp-admin/admin-ajax\.php\?action=orderform_data - [F]
Deactivate plugin
allCompletely disable the plugin until patched version is available.
wp plugin deactivate sell-btc-by-hayyatapps
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to block inline script execution
- Restrict admin dashboard access to specific IP addresses using web server rules
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin > Plugins > Installed Plugins for 'Sell BTC' plugin version 1.5 or earlier.Check Version:
wp plugin list --name=sell-btc-by-hayyatapps --field=versionVerify Fix Applied:
After update, verify plugin version is greater than 1.5 and test order submission functionality.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with action=orderform_data containing script tags
- Multiple failed order submissions with JavaScript payloads
Network Indicators:
- HTTP requests with base64-encoded or obfuscated JavaScript in order data parameters
SIEM Query:
source="wordpress.log" AND "admin-ajax.php" AND "orderform_data" AND ("<script>" OR "javascript:")🔗 References
- https://plugins.trac.wordpress.org/browser/sell-btc-by-hayyatapps/trunk/Pages/orders.php#L30
- https://plugins.trac.wordpress.org/browser/sell-btc-by-hayyatapps/trunk/functions-admin.php#L39
- https://plugins.trac.wordpress.org/browser/sell-btc-by-hayyatapps/trunk/functions/form_tab.php#L12
- https://plugins.trac.wordpress.org/changeset/3433480/
- https://plugins.trac.wordpress.org/changeset/3450361/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/720be34d-3fe4-4395-a27b-d386f8612ba9?source=cve
