CVE-2025-8398: 
WordPress vulnerability analysis and mitigation

The azurecurve BBCode plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-8398) discovered on September 11, 2025. This vulnerability affects all versions up to and including 2.0.4. The plugin's 'url' shortcode is specifically affected due to insufficient input sanitization and output escaping on user-supplied attributes (NVD CVE).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue, identified as CWE-79 (Improper Neutralization of Input During Web Page Generation). It has received a CVSS v3.1 base score of 6.4 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The vulnerability exists in the plugin's 'url' shortcode functionality where user-supplied attributes are not properly sanitized before being stored and displayed (NVD CVE).

When exploited, this vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever any user accesses the compromised page, potentially leading to unauthorized data access or manipulation of user sessions (NVD CVE).

As of September 10, 2025, the plugin has been temporarily closed and is not available for download pending a full review (WordPress Plugin). Users are advised to disable and remove the plugin until a patched version becomes available.