What is CVE-2025-13854?

CVE-2025-13854 is a Stored Cross-Site Scripting (XSS) vulnerability in the Curved Text plugin for WordPress, affecting version 0.1. It allows authenticated users with Contributor-level access or higher to inject malicious scripts via the ‘radius’ parameter of the arctext shortcode.

How does this vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping for the ‘radius’ shortcode attribute. Attackers can insert JavaScript payloads into this attribute, which are then executed when a user views the affected page.

Who is affected by this vulnerability?

Any WordPress site using the Curved Text plugin version 0.1 is vulnerable. Specifically, authenticated users with Contributor-level access or higher can exploit this vulnerability to inject malicious scripts.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify that you are using the Curved Text plugin version 0.1. You can do this by navigating to the Plugins section in your WordPress admin dashboard and checking the version number.

What is the severity level of this vulnerability?

CVE-2025-13854 has a CVSS score of 6.4, indicating a medium severity level. This means that while the vulnerability can be exploited, it requires authenticated access, limiting the potential impact to sites where such access is granted.

How can I fix this vulnerability?

To fix this vulnerability, update the Curved Text plugin to the latest version that addresses the issue. Additionally, ensure that proper input sanitization and output escaping are implemented in the shortcode handling code.

What mitigation measures can I take?

In addition to updating the plugin, consider restricting Contributor-level access to trusted users only. Regularly review user permissions and implement security plugins that can help detect and prevent XSS attacks.

What does the CVSS vector indicate?

The CVSS vector indicates a scope change (S:C), meaning that the impact of the vulnerability can extend beyond the plugin itself, potentially affecting other components of the WordPress site. This emphasizes the need for thorough security practices.

How does the proof of concept demonstrate the issue?

The proof of concept simulates an authenticated Contributor user injecting a malicious shortcode into a post through the WordPress editor. It highlights that the exploit occurs via the admin interface, making it necessary to have valid credentials for successful exploitation.

What are the potential consequences of exploitation?

Successful exploitation can lead to stored XSS, allowing attackers to execute scripts in the browsers of users viewing the compromised page. This can result in session hijacking, unauthorized actions, site defacement, or malicious redirects.

Is there a patch available for this vulnerability?

As of the disclosure date, users should check for updates to the Curved Text plugin that address CVE-2025-13854. Regularly updating plugins is crucial for maintaining site security.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-13854: Curved Text <= 0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes (curved-text)

CVE ID CVE-2025-13854

Plugin curved-text

Severity Medium (CVSS 6.4)

CWE 79

Vulnerable Version 0.1

Patched Version —

Disclosed January 7, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-13854 (metadata-based):
This vulnerability is an authenticated Stored Cross-Site Scripting (XSS) flaw in the Curved Text WordPress plugin, version 0.1. The vulnerability exists within the ‘arctext’ shortcode handler, specifically in its handling of the ‘radius’ attribute. Attackers with Contributor-level access or higher can inject malicious scripts that execute in the context of any user viewing a page containing the compromised shortcode.

Atomic Edge research identifies the root cause as insufficient input sanitization and output escaping. The plugin likely accepts user-supplied input for the ‘radius’ shortcode attribute and directly echoes it into the page without proper neutralization. This inference is based on the CWE-79 classification and the vulnerability description. Without access to the patched version or source code diff, this conclusion is derived from the standard failure pattern for WordPress shortcode XSS vulnerabilities.

Exploitation requires an authenticated attacker with at least Contributor privileges. The attacker creates or edits a post or page, inserting the vulnerable shortcode with a malicious payload in the ‘radius’ attribute. The payload would be a JavaScript payload, such as `alert(‘XSS’)`, likely requiring HTML encoding or quotes to fit within the shortcode attribute context. The attack vector is the WordPress editor, not a direct HTTP endpoint, making WAF detection more challenging.

Remediation requires implementing proper output escaping. The plugin should use WordPress core escaping functions like `esc_attr()` when outputting the ‘radius’ attribute value within HTML. Input sanitization for shortcode attributes, using functions like `sanitize_text_field()`, is also a recommended defense-in-depth measure. A proper fix would validate the ‘radius’ value as a numeric parameter before use.

Successful exploitation leads to stored XSS. Injected scripts execute in the browser of any user who views the compromised page. This can result in session hijacking, administrative actions performed on behalf of the user, defacement, or malicious redirects. The CVSS vector indicates scope change (S:C), meaning the impact can propagate to other site components beyond the plugin itself.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2025-13854 (metadata-based)
# This rule targets POST requests to the WordPress post editor that contain the malicious 'arctext' shortcode.
# It inspects the POST body for the shortcode pattern with a script payload in the 'radius' attribute.
SecRule REQUEST_METHOD "@streq POST" 
  "id:10013854,phase:2,deny,status:403,chain,msg:'CVE-2025-13854: Curved Text Plugin Stored XSS via arctext shortcode',severity:'CRITICAL',tag:'CVE-2025-13854',tag:'WordPress',tag:'WAF',tag:'XSS'"
  SecRule REQUEST_URI "@rx /wp-admin/(post.php|post-new.php)$" "chain"
    SecRule REQUEST_BODY "@rx [arctext[^]]*radiuss*=s*['"][^'"]*<script" 
      "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2025-13854 - Curved Text <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
<?php
/**
 * This PoC simulates an authenticated Contributor user injecting a malicious shortcode into a post.
 * It assumes valid WordPress credentials and the ability to create/edit posts.
 * The exploit occurs via the standard WordPress post editor, not a direct plugin endpoint.
 * Therefore, a direct HTTP PoC using cURL is not feasible without simulating the entire WordPress editor workflow (nonce, post ID, etc.).
 * The attack is performed manually through the admin interface.
 * A meaningful automated PoC would require full WordPress environment simulation.
 */
return null;

Frequently Asked Questions

What is CVE-2025-13854?
Understanding the vulnerability
CVE-2025-13854 is a Stored Cross-Site Scripting (XSS) vulnerability in the Curved Text plugin for WordPress, affecting version 0.1. It allows authenticated users with Contributor-level access or higher to inject malicious scripts via the ‘radius’ parameter of the arctext shortcode.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and output escaping for the ‘radius’ shortcode attribute. Attackers can insert JavaScript payloads into this attribute, which are then executed when a user views the affected page.
Who is affected by this vulnerability?
Identifying affected users
Any WordPress site using the Curved Text plugin version 0.1 is vulnerable. Specifically, authenticated users with Contributor-level access or higher can exploit this vulnerability to inject malicious scripts.
How can I check if my site is vulnerable?
Verifying plugin version
To check if your site is vulnerable, verify that you are using the Curved Text plugin version 0.1. You can do this by navigating to the Plugins section in your WordPress admin dashboard and checking the version number.
What is the severity level of this vulnerability?
Understanding the risk
CVE-2025-13854 has a CVSS score of 6.4, indicating a medium severity level. This means that while the vulnerability can be exploited, it requires authenticated access, limiting the potential impact to sites where such access is granted.
How can I fix this vulnerability?
Recommended remediation steps
To fix this vulnerability, update the Curved Text plugin to the latest version that addresses the issue. Additionally, ensure that proper input sanitization and output escaping are implemented in the shortcode handling code.
What mitigation measures can I take?
Preventing exploitation
In addition to updating the plugin, consider restricting Contributor-level access to trusted users only. Regularly review user permissions and implement security plugins that can help detect and prevent XSS attacks.
What does the CVSS vector indicate?
Understanding the CVSS context
The CVSS vector indicates a scope change (S:C), meaning that the impact of the vulnerability can extend beyond the plugin itself, potentially affecting other components of the WordPress site. This emphasizes the need for thorough security practices.
How does the proof of concept demonstrate the issue?
Exploit simulation explanation
The proof of concept simulates an authenticated Contributor user injecting a malicious shortcode into a post through the WordPress editor. It highlights that the exploit occurs via the admin interface, making it necessary to have valid credentials for successful exploitation.
What are the potential consequences of exploitation?
Impact of successful attacks
Successful exploitation can lead to stored XSS, allowing attackers to execute scripts in the browsers of users viewing the compromised page. This can result in session hijacking, unauthorized actions, site defacement, or malicious redirects.
Is there a patch available for this vulnerability?
Checking for updates
As of the disclosure date, users should check for updates to the Curved Text plugin that address CVE-2025-13854. Regularly updating plugins is crucial for maintaining site security.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations