The azurecurve BBCode plugin for WordPress, widely used to enable BBCode formatting in posts, suffers from a stored cross-site scripting vulnerability identified as CVE-2025-8398. This vulnerability is due to insufficient sanitization and escaping of user-supplied input in the 'url' shortcode attribute. Authenticated users with contributor-level permissions or higher can inject arbitrary JavaScript code into posts or pages. When other users access these pages, the malicious scripts execute in their browsers, potentially compromising session cookies, redirecting users, or performing actions on their behalf. The vulnerability affects all plugin versions up to and including 2.0.4. The CVSS 3.1 base score is 6.4, reflecting network attack vector, low attack complexity, and requiring privileges but no user interaction. The vulnerability impacts confidentiality and integrity but not availability. No patches or official fixes have been published at the time of disclosure, and no known exploits are currently in the wild. The vulnerability was reserved on July 30, 2025, and published on September 11, 2025. The CWE classification is CWE-79, indicating improper neutralization of input during web page generation. This vulnerability is particularly dangerous in multi-user WordPress environments where contributors can publish content, as it allows persistent script injection affecting all visitors to the compromised content.

This vulnerability can lead to significant security risks for organizations running WordPress sites with the azurecurve BBCode plugin installed. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of site visitors, potentially stealing authentication tokens, performing unauthorized actions, or spreading malware. This compromises user confidentiality and site integrity. For organizations relying on WordPress for public-facing or internal content management, this could result in data breaches, reputational damage, and loss of user trust. Since the attack requires authenticated access, insider threats or compromised contributor accounts pose a particular risk. The scope includes any WordPress site using the vulnerable plugin version, which may be widespread given the plugin's availability. Although availability is not directly impacted, the indirect consequences of exploitation can disrupt normal operations and require costly incident response and remediation efforts.

Given no official patch is currently available, organizations should take immediate steps to mitigate risk. First, restrict contributor-level permissions to trusted users only and audit existing contributor accounts for suspicious activity. Disable or remove the azurecurve BBCode plugin until a patched version is released. Implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns targeting the 'url' shortcode. Employ Content Security Policy (CSP) headers to limit script execution sources and reduce impact of injected scripts. Educate content contributors about safe input practices and monitor published content for unexpected scripts or HTML. Once a patch is available, apply it promptly. Additionally, consider using alternative BBCode plugins with better security track records. Regularly review and update WordPress and all plugins to minimize exposure to known vulnerabilities.