CVE-2025-13308 is a reflected Cross-Site Scripting vulnerability identified in the Application Passwords plugin for WordPress, developed by georgestephanis. This plugin allows users to generate application-specific passwords to facilitate external app access. The vulnerability exists in all versions up to and including 0.1.3 due to improper neutralization of user input in the 'reject_url' parameter. Specifically, the plugin fails to properly sanitize and escape this parameter, enabling an attacker to embed javascript: URI schemes. When a victim clicks on a maliciously crafted link containing this parameter and subsequently clicks the 'No, I do not approve of this connection' button, the injected script executes in the victim’s browser context. This reflected XSS does not require the attacker to be authenticated but does require the victim to interact with the malicious link and button. The vulnerability impacts confidentiality and integrity by potentially allowing session hijacking, credential theft, or unauthorized actions performed in the context of the victim’s session. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) indicates network attack vector, low attack complexity, low privileges required, user interaction needed, scope change, and partial confidentiality and integrity impact without availability impact. No patches or exploit code are currently publicly available, and no active exploitation has been reported. The vulnerability highlights the importance of robust input validation and output encoding in web applications, especially plugins that handle authentication workflows.

The primary impact of this vulnerability is the potential compromise of user confidentiality and integrity within WordPress sites using the affected Application Passwords plugin. Attackers can execute arbitrary JavaScript in the context of a victim’s browser, potentially stealing session cookies, redirecting users to malicious sites, or performing unauthorized actions on behalf of the user. Although availability is not affected, the breach of confidentiality and integrity can lead to account compromise, data leakage, and further exploitation within the WordPress environment. Given WordPress’s widespread use globally, many organizations, especially those relying on this plugin for application password management, are at risk. The requirement for user interaction reduces the ease of exploitation but does not eliminate risk, as phishing or social engineering can facilitate victim clicks. The vulnerability could be leveraged in targeted attacks against administrators or users with elevated privileges, increasing the potential damage. The lack of known exploits in the wild currently limits immediate widespread impact but does not preclude future exploitation once proof-of-concept code becomes available.

To mitigate this vulnerability, organizations should immediately update the Application Passwords plugin once a patched version is released by the vendor. Until then, administrators should consider disabling the plugin or restricting its use to trusted users only. Implementing Web Application Firewall (WAF) rules to detect and block requests containing suspicious 'reject_url' parameters with javascript: schemes can reduce risk. Educating users about phishing risks and the dangers of clicking untrusted links is critical to prevent exploitation via social engineering. Developers maintaining the plugin should apply strict input validation and output encoding on all user-supplied parameters, especially URLs, to neutralize malicious scripts. Additionally, employing Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources. Regular security audits and monitoring for unusual activity related to application password usage can help detect exploitation attempts early. Finally, organizations should maintain up-to-date backups and incident response plans to quickly recover from potential compromises.