CVE-2025-13656

Vulnerability

Overview

The Cute News Ticker plugin for WordPress, versions up to and including 1.0, contains a Stored Cross-Site Scripting (XSS) vulnerability in the 'color' shortcode attribute. The plugin fails to properly sanitize user input and escape output when processing this attribute, allowing malicious script content to be stored and executed in the context of a user's browser [1].

Exploitation

Details

An authenticated attacker with at least Contributor-level access can exploit this flaw by injecting arbitrary web scripts through the 'color' parameter of the plugin's shortcode. When a victim (such as an administrator or site visitor) accesses a page containing the crafted shortcode, the injected script executes. No special network position is required beyond standard WordPress user privileges [1].

Impact

Successful exploitation enables the attacker to perform actions such as stealing session cookies, redirecting users to malicious sites, or defacing pages. Because the script executes in the context of the victim's session, it can potentially lead to privilege escalation if an administrator views the compromised page [1].

Mitigation

Status

The plugin has been closed as of December 4, 2025, and is no longer available for download due to this security issue [1]. Users who have the plugin installed should immediately remove it and replace it with an alternative solution. No patched version exists, and no workaround is provided by the vendor [1].