CVE-2025-14554

### 1. Plain-Language Summary The Sell BTC WordPress plugin allows unauthenticated attackers to inject malicious code into order records. When an admin views the Orders page in their dashboard, this code runs automatically, enabling session hijacking or unauthorized actions. ### 2. Who Is Affected - **Product**: Sell BTC - Cryptocurrency Selling Calculator plugin for WordPress. - **Affected Versions**: All versions up to **1.5**. Version 1.5 has a **partial patch**, meaning it may still be vulnerable. ### 3. Attacker Exploitation Impact - Injects persistent malicious scripts (e.g., JavaScript) into order data. - Executes when admins view the Orders page, enabling: - Theft of admin session cookies (full account takeover). - Unauthorized admin actions (e.g., modifying settings, adding users). - Defacement or malware distribution via the compromised admin panel. ### 4. Recommended Remediation Steps 1. **Immediate Update**: Upgrade to a version **newer than 1.5** once fully patched (monitor plugin vendor releases). If unavailable, disable the plugin. 2. **Temporary Mitigations**: - Restrict admin dashboard access to trusted IPs (e.g., via `.ht