CVE-2025-13678 is a stored cross-site scripting vulnerability identified in the Thai Lottery Widget plugin for WordPress, affecting all versions up to and including 2.5. The vulnerability stems from insufficient input sanitization and output escaping of user-supplied parameters, specifically the 'width' and 'height' attributes within the 'thailottery' shortcode. Authenticated users with Contributor-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into pages that utilize this shortcode. When other users access these pages, the injected scripts execute in their browsers, potentially allowing attackers to steal session cookies, perform actions on behalf of users, or manipulate page content. The vulnerability does not require user interaction beyond visiting the affected page and has a CVSS 3.1 base score of 6.4, indicating medium severity. The attack vector is network-based, with low complexity, but requires privileges (Contributor or above). The scope is changed as the vulnerability affects data accessible to other users, impacting confidentiality and integrity but not availability. No public exploits have been reported yet, but the vulnerability poses a significant risk to WordPress sites using this plugin, especially those with multiple contributors or user roles. The lack of official patches at the time of publication necessitates immediate mitigation steps to prevent exploitation.

The impact of CVE-2025-13678 is primarily on the confidentiality and integrity of affected WordPress sites using the Thai Lottery Widget plugin. Successful exploitation allows attackers with Contributor-level access to inject persistent malicious scripts that execute in the context of other users' browsers. This can lead to session hijacking, unauthorized actions performed with victim user privileges, defacement, or distribution of malware. Since the vulnerability requires authenticated access, the risk is elevated in environments with multiple contributors or less strict access controls. The scope of affected systems includes any WordPress installation using the vulnerable plugin, which may be widespread in regions where the plugin is popular, especially Thailand and sites targeting Thai audiences. Although availability is not directly impacted, the indirect effects of exploitation could disrupt site operations or user trust. Organizations worldwide using this plugin face reputational damage and potential data breaches if the vulnerability is exploited. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as attackers often weaponize such vulnerabilities rapidly after disclosure.

To mitigate CVE-2025-13678, organizations should first check for and apply any official patches or updates released by the plugin vendor. If no patch is available, immediate steps include disabling the Thai Lottery Widget plugin or removing the vulnerable shortcode usage from all pages. Restrict Contributor-level and higher privileges to trusted users only, minimizing the risk of malicious shortcode attribute injection. Implement a Web Application Firewall (WAF) with custom rules to detect and block suspicious input patterns in shortcode attributes, particularly targeting script tags or JavaScript event handlers. Conduct thorough input validation and output encoding on all user-supplied data in custom plugins or themes to prevent similar vulnerabilities. Monitor logs for unusual activity related to shortcode usage or unexpected script injections. Educate site administrators and contributors about the risks of injecting untrusted content. Finally, consider adopting security plugins that scan for XSS vulnerabilities and enforce content security policies (CSP) to reduce the impact of potential script injections.