CVE-2025-8317

The Custom Word Cloud plugin for WordPress (versions up to and including 0.3) is vulnerable to Stored Cross-Site Scripting (XSS) due to insufficient input sanitization and output escaping. The vulnerability resides in the handling of the 'angle' parameter, which is used to configure the word cloud display. The plugin does not properly validate or sanitize user input before storing it and later rendering it in administrative or public pages, allowing attackers to inject arbitrary web scripts [1].

To exploit this vulnerability, an attacker must be an authenticated WordPress user with at least Contributor-level access. This means the attacker can create or edit posts/pages where the word cloud shortcode or widget is used, injecting malicious JavaScript into the 'angle' field. The crafted payload is stored on the server and will execute in the browser of any user (including administrators) who subsequently views the affected page. No additional privileges or network access are required beyond the contributor role [1].

Successful exploitation allows an attacker to perform actions within the context of the victim's session, such as stealing session cookies, modifying page content, or performing other malicious actions. Because the script executes in the context of the WordPress installation, it could lead to privilege escalation if an administrator views the injected page. The Medium CVSS v3 score of 6.4 reflects the authenticated requirement but also the potential for significant impact [1].

As of the publication date (August 2, 2025), the vendor has not released a patched version for CVE-2025-8317. Users of the Custom Word Cloud plugin are advised to disable the plugin until a security update is made available. Administrators should review any existing content created by users with Contributor access or above for potential XSS injections, particularly in the 'angle' parameter [1].