CVE-2025-8317
BaseFortify
Publication date: 2025-08-02
Last updated on: 2025-08-04
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bnielsen | custom_word_cloud | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Custom Word Cloud plugin for WordPress is a Stored Cross-Site Scripting (XSS) issue. It occurs because the plugin does not properly sanitize or escape the 'angle' parameter input. Authenticated users with Contributor-level access or higher can inject malicious scripts via this parameter. These scripts are then stored and executed whenever any user views the affected page, potentially compromising user security.
How can this vulnerability impact me? :
This vulnerability can allow attackers with Contributor-level access to inject arbitrary malicious scripts into pages. When other users visit these pages, the injected scripts execute in their browsers, which can lead to theft of user credentials, session hijacking, defacement, or other malicious actions. It compromises the integrity and security of the website and its users.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if the Custom Word Cloud WordPress plugin version 0.3 or earlier is installed and active, and if the 'angle' parameter is being used in a way that could allow stored XSS. Since the vulnerability requires Contributor-level access to inject scripts, monitoring for unusual POST requests or content submissions to pages using the [cwcloud] shortcode with the 'angle' parameter could help. Specific commands are not provided in the resources, but general detection steps include: 1) Checking installed plugins and their versions via WordPress admin or WP-CLI (e.g., `wp plugin list`), 2) Searching for usage of the shortcode with the 'angle' attribute in posts/pages, 3) Monitoring HTTP POST requests to pages using the shortcode for suspicious input in the 'angle' parameter. No explicit commands are given in the provided resources. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Disable or uninstall the Custom Word Cloud plugin until a patched version is available, as the plugin has been temporarily closed pending a security review. 2) Restrict Contributor-level and higher user permissions to trusted users only to prevent exploitation. 3) Avoid using or allowing user input for the 'angle' parameter in the shortcode or forms. 4) Monitor and sanitize inputs if the plugin must be used, although the current version lacks sufficient sanitization. Since the plugin is no longer available for download and is under review, removing or disabling it is the safest immediate action. [1]