CVE-2025-13854 is a stored cross-site scripting vulnerability identified in the soniz Curved Text plugin for WordPress, specifically affecting all versions up to and including 0.1. The vulnerability stems from insufficient sanitization and escaping of the 'radius' parameter within the arctext shortcode, which allows authenticated users with Contributor-level permissions or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, defacement, or unauthorized actions within the context of the affected site. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and has a CVSS v3.1 base score of 6.4, reflecting a medium severity level. The attack vector is network-based, requiring low attack complexity and privileges (authenticated Contributor or above), but no user interaction is necessary for exploitation. The scope is changed (S:C), indicating that the vulnerability affects resources beyond the attacker’s privileges, impacting confidentiality and integrity but not availability. No patches or known exploits have been reported at the time of publication, but the vulnerability represents a significant risk for WordPress sites using this plugin, especially those with multiple contributors. The lack of output escaping and input validation in a commonly used shortcode parameter makes this vulnerability particularly dangerous in collaborative environments where multiple users can contribute content.

The primary impact of CVE-2025-13854 is the compromise of confidentiality and integrity of affected WordPress sites. Exploitation allows attackers to execute arbitrary scripts in the context of other users’ browsers, potentially leading to theft of authentication cookies, session tokens, or other sensitive information. This can facilitate account takeover, privilege escalation, or unauthorized actions on the site. Since the vulnerability requires Contributor-level access, it can be exploited by malicious insiders or compromised contributor accounts, increasing the risk in multi-user environments. The vulnerability does not directly affect availability but can lead to reputational damage, loss of user trust, and potential data breaches. Organizations relying on the soniz Curved Text plugin for content presentation are at risk of persistent XSS attacks that can be difficult to detect and remediate without proper monitoring. The medium CVSS score reflects a moderate but actionable threat, especially for high-traffic or sensitive WordPress sites. Given WordPress’s global popularity, the impact can be widespread, affecting websites ranging from small blogs to large enterprises that use this plugin for visual text effects.

To mitigate CVE-2025-13854, organizations should first check for updates or patches from the soniz plugin developers and apply them promptly once available. In the absence of official patches, site administrators should consider disabling or removing the Curved Text plugin to eliminate the attack surface. Implement strict role-based access controls to limit Contributor-level permissions only to trusted users and regularly audit user accounts for suspicious activity. Employ Web Application Firewalls (WAFs) with custom rules to detect and block malicious payloads targeting the 'radius' parameter in the arctext shortcode. Additionally, sanitize and validate all user inputs at both client and server sides, and apply output encoding to prevent script execution. Monitoring logs for unusual content submissions or script injections can help detect exploitation attempts early. Educate content contributors about safe content practices and the risks of injecting untrusted code. Finally, consider implementing Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on the site.