CVE-2025-8317: 
WordPress vulnerability analysis and mitigation

The Custom Word Cloud plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-8317) in versions up to and including 0.3. The vulnerability was discovered and reported by Wordfence, with disclosure on August 2, 2025. The vulnerability affects the 'angle' parameter due to insufficient input sanitization and output escaping (NVD).

The vulnerability is classified as a Stored Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 Base Score of 6.4 (Medium). The vulnerability exists in the plugin's handling of the 'angle' parameter, where insufficient input sanitization and output escaping allows for the injection of malicious scripts. The attack vector requires authenticated access with Contributor-level privileges or higher (NVD, Wordfence).

When successfully exploited, the vulnerability allows authenticated attackers to inject arbitrary web scripts into pages. These injected scripts will execute whenever any user accesses the affected pages, potentially leading to theft of sensitive information, session hijacking, or other malicious actions typically associated with XSS attacks (NVD).

The plugin has been temporarily closed as of July 30, 2025, pending a full security review. Users are advised to disable and remove the plugin until a patched version becomes available (WordPress).