CVE-2025-13512 identifies a reflected Cross-Site Scripting (XSS) vulnerability in the jiangxin CoSign Single Signon plugin for WordPress, present in all versions up to and including 0.3.1. The vulnerability stems from improper neutralization of input during web page generation, specifically due to insufficient sanitization and escaping of the $_SERVER['PHP_SELF'] parameter. This parameter reflects the current script's filename and can be manipulated by an attacker to inject arbitrary JavaScript code. When a victim clicks a crafted URL containing malicious script payloads embedded in this parameter, the injected code executes in the context of the victim's browser session. This can lead to theft of session cookies, defacement, or redirection to malicious sites, compromising user confidentiality and integrity. The vulnerability requires no authentication but does require user interaction (clicking a malicious link). The CVSS 3.1 score of 6.1 reflects a medium severity with network attack vector, low attack complexity, no privileges required, user interaction required, and impact on confidentiality and integrity but not availability. No patches or exploits are currently documented, but the plugin's widespread use in WordPress environments makes this a relevant threat. The vulnerability is classified under CWE-79, a common web application security weakness related to improper input validation and output encoding.

The primary impact of this vulnerability is on the confidentiality and integrity of users interacting with affected WordPress sites using the CoSign Single Signon plugin. Successful exploitation can lead to session hijacking, unauthorized actions performed on behalf of the user, or redirection to malicious websites, potentially resulting in credential theft or further malware infection. Although availability is not directly impacted, the trustworthiness of the affected web application is undermined, which can damage organizational reputation and user confidence. For organizations, this could mean exposure of sensitive user data, increased risk of account compromise, and potential regulatory compliance issues related to data protection. Since the vulnerability is exploitable remotely without authentication but requires user interaction, phishing campaigns or social engineering could be leveraged to maximize impact. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as attackers often weaponize such vulnerabilities rapidly after disclosure.

Organizations should immediately verify if they are using the jiangxin CoSign Single Signon plugin version 0.3.1 or earlier and plan to upgrade to a patched version once available. In the absence of an official patch, administrators should implement strict input validation and output encoding on the $_SERVER['PHP_SELF'] parameter or disable the vulnerable functionality if feasible. Employing Web Application Firewalls (WAFs) with rules to detect and block suspicious query strings containing script tags or typical XSS payloads can provide interim protection. Additionally, security teams should conduct user awareness training to recognize phishing attempts that might exploit this vulnerability. Monitoring web server logs for unusual URL patterns and anomalous user behavior can help detect exploitation attempts. Finally, applying Content Security Policy (CSP) headers can reduce the impact of injected scripts by restricting script execution sources.