CVE-2025-13678 is a stored Cross-Site Scripting (XSS) vulnerability categorized under CWE-79, found in the Thai Lottery Widget plugin for WordPress, which is widely used to display lottery results. The vulnerability arises from improper neutralization of user-supplied input during web page generation, specifically in the 'width' and 'height' shortcode attributes of the 'thailottery' shortcode. These attributes are not sufficiently sanitized or escaped before being rendered on the page, allowing an authenticated attacker with Contributor-level privileges or higher to inject arbitrary JavaScript code. Because the injected script is stored in the page content, it executes every time any user accesses the affected page, potentially enabling session hijacking, privilege escalation, or other malicious actions. The vulnerability requires authentication but no further user interaction, and it affects all versions of the plugin up to and including 2.5. The CVSS v3.1 score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and privileges required. The scope is changed (S:C), indicating that the vulnerability can affect resources beyond the vulnerable component. No patches are currently linked, and no known exploits have been reported in the wild. The vulnerability is particularly concerning for WordPress sites that allow multiple contributors or editors to add content and use this plugin, as it can be leveraged to compromise site visitors or administrators.

For European organizations, the impact of this vulnerability can be significant if the Thai Lottery Widget plugin is in use on their WordPress sites, especially those that allow Contributor-level users to add or modify content. Exploitation could lead to the injection of malicious scripts that compromise the confidentiality of user sessions, steal sensitive information, or perform unauthorized actions on behalf of users. While availability is not directly affected, the integrity of website content and user trust can be severely damaged. Organizations involved in e-commerce, information dissemination, or community engagement could face reputational harm and potential regulatory scrutiny under GDPR if user data is compromised. The medium CVSS score reflects that while exploitation requires some privileges, the attack can be performed remotely over the network without user interaction, increasing risk. Since no known exploits are in the wild, the threat is currently theoretical but should be addressed proactively. The vulnerability could also be leveraged in targeted attacks against European entities with Thai community ties or interest in lottery-related content.

1. Immediately audit WordPress sites for the presence of the Thai Lottery Widget plugin and identify versions up to 2.5. 2. Restrict Contributor-level and higher privileges to trusted users only, minimizing the risk of malicious shortcode attribute injection. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious shortcode attribute values containing script tags or event handlers. 4. Apply strict input validation and output encoding on shortcode attributes if custom development is possible, ensuring all user inputs are sanitized before rendering. 5. Monitor site content for unexpected script injections or anomalies in pages using the 'thailottery' shortcode. 6. Once the vendor releases a patch, prioritize updating the plugin to the fixed version. 7. Educate content contributors about the risks of injecting untrusted content and enforce content review workflows. 8. Consider disabling or replacing the plugin if it is not essential to reduce attack surface.