CVE-2025-13308 identifies a reflected Cross-Site Scripting vulnerability in the Application Passwords plugin developed by georgestephanis for WordPress. The vulnerability exists due to insufficient input sanitization and output escaping of the 'reject_url' parameter, which accepts user-supplied URLs. Attackers can embed javascript: URI schemes within this parameter, enabling the injection of arbitrary JavaScript code. When a victim clicks the "No, I do not approve of this connection" button, the malicious script executes in the context of the victim's browser. This attack vector requires no authentication but depends on social engineering to lure users into clicking crafted links. The vulnerability affects all versions up to and including 0.1.3 of the plugin. The CVSS 3.1 base score is 5.4 (medium), reflecting network attack vector, low attack complexity, low privileges required, user interaction needed, and partial confidentiality and integrity impact without availability impact. No patches or updates are currently linked, and no known exploits have been reported in the wild. The vulnerability falls under CWE-79, which covers improper neutralization of input during web page generation, a common cause of XSS. This vulnerability could be leveraged to steal session cookies, perform actions on behalf of users, or redirect users to malicious sites, compromising user data and trust.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on WordPress sites with the Application Passwords plugin enabled. Exploitation could lead to session hijacking, unauthorized actions performed in the context of authenticated users, and potential data leakage. This can damage organizational reputation, lead to regulatory non-compliance under GDPR due to data breaches, and cause financial losses. Since the attack requires user interaction, phishing campaigns targeting employees or customers could be used to exploit this vulnerability. Organizations with customer-facing WordPress portals or internal WordPress-based tools are at risk of targeted attacks. The vulnerability does not affect availability but compromises confidentiality and integrity, which are critical for trust and security in digital services. The medium severity suggests that while the risk is not critical, it should be addressed promptly to prevent exploitation.

1. Monitor for plugin updates or patches from the developer and apply them immediately once available. 2. Until a patch is released, consider disabling the Application Passwords plugin if it is not essential. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious 'reject_url' parameter values containing javascript: schemes or other suspicious payloads. 4. Educate users and administrators about phishing risks and the dangers of clicking untrusted links, especially those prompting interaction with WordPress authentication dialogs. 5. Conduct regular security assessments and penetration tests focusing on WordPress plugins and user input handling. 6. Employ Content Security Policy (CSP) headers to restrict the execution of inline scripts and untrusted sources, mitigating the impact of XSS attacks. 7. Use security plugins that provide additional input sanitization and output escaping for WordPress sites. 8. Review and harden WordPress configurations to minimize exposure to reflected XSS vectors.