CVE-2025-13854 identifies a stored Cross-Site Scripting vulnerability in the soniz Curved Text plugin for WordPress, specifically in all versions up to and including 0.1. The vulnerability stems from insufficient sanitization and output escaping of the 'radius' parameter within the arctext shortcode. Authenticated users with Contributor-level or higher privileges can exploit this flaw by injecting arbitrary JavaScript code into pages or posts. Because the malicious script is stored persistently, it executes in the browsers of any users who visit the infected page, potentially allowing attackers to hijack sessions, steal cookies, or perform actions on behalf of other users. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS v3.1 score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges, no user interaction, and a scope change. No public exploits have been reported yet, but the risk remains significant due to the common use of WordPress and the plugin’s presence. The lack of patch links indicates that no official fix has been released at the time of publication, emphasizing the need for interim mitigations.

For European organizations, this vulnerability poses a moderate risk primarily to websites running WordPress with the soniz Curved Text plugin installed. Exploitation could lead to unauthorized script execution in users’ browsers, resulting in session hijacking, defacement, or unauthorized actions performed with the victim’s privileges. This can damage organizational reputation, lead to data leakage, or facilitate further attacks such as privilege escalation or lateral movement within internal networks if administrative users are targeted. Since the attack requires authenticated access at Contributor level or above, organizations with multiple content editors or contributors are at higher risk. The impact is heightened for public-facing websites with high traffic, including e-commerce, government portals, and media outlets prevalent in Europe. Additionally, the scope change in the CVSS vector indicates that the vulnerability could affect resources beyond the initially compromised component, potentially impacting broader site integrity.

1. Immediately audit user roles and permissions to ensure that only trusted users have Contributor-level or higher access, minimizing the risk of malicious shortcode injection. 2. Monitor and review all shortcode usage, particularly the 'arctext' shortcode and its 'radius' parameter, for suspicious or unexpected input. 3. Implement Web Application Firewall (WAF) rules to detect and block malicious payloads targeting the 'radius' parameter in the Curved Text plugin. 4. Disable or remove the soniz Curved Text plugin if it is not essential to reduce the attack surface. 5. Stay alert for official patches or updates from the plugin vendor and apply them promptly once available. 6. Educate content contributors about safe input practices and the risks of injecting untrusted content. 7. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on the website. 8. Regularly back up website content and configurations to enable quick recovery in case of compromise.