CVE-2025-8398

Vulnerability

Overview The azurecurve BBCode plugin for WordPress, in all versions up to and including 2.0.4, contains a Stored Cross-Site Scripting (XSS) vulnerability in its 'url' shortcode. The plugin fails to properly sanitize user-supplied attributes and escape output when rendering the shortcode, allowing malicious HTML or JavaScript to be stored in the database [1].

Exploitation

Conditions An attacker must have at least contributor-level access to a WordPress site where the plugin is active. The vulnerability is triggered by crafting a shortcode like [url=javascript:alert(1)]click[/url] or using other XSS payloads in the URL attribute. When the shortcode is processed, the unsanitized attribute is output directly into the page content, which is then served to other users [1].

Impact

Successful exploitation allows the attacker to inject arbitrary web scripts that execute in the browsers of any user visiting the affected user visiting a page containing the malicious shortcode. This can lead to session hijacking, defacement, or theft of sensitive information. The stored nature of the XSS means the payload persists until removed, increasing the potential reach [1].

Mitigation

As of the publication date, the vulnerability remains unpatched in version 2.0.4. Users should disable the plugin until a security update is released, or apply input validation and output escaping as a temporary workaround. No known exploitation in the wild has been reported at this time.