CVE-2025-13513 is a reflected Cross-Site Scripting vulnerability identified in the Clik stats plugin for WordPress, developed by codejunkie. The vulnerability exists in all versions up to and including 0.8 due to insufficient sanitization and escaping of the $_SERVER['PHP_SELF'] parameter during web page generation. This parameter is commonly used to retrieve the current script's filename, but if not properly neutralized, it can be manipulated by attackers to inject arbitrary JavaScript code. When a user clicks on a crafted URL containing malicious payloads in the PHP_SELF parameter, the injected script executes in the context of the victim's browser session. This can lead to theft of session cookies, defacement, or redirection to malicious sites, compromising confidentiality and integrity of user data. The vulnerability is exploitable remotely over the network without authentication but requires user interaction (clicking a link). The CVSS v3.1 base score is 6.1, indicating medium severity with low attack complexity and no privileges required. The scope is changed (S:C) because the vulnerability affects components beyond the initially vulnerable code, potentially impacting the broader application context. No patches or official fixes are currently published, and no known exploits have been observed in the wild. The vulnerability is categorized under CWE-79, which covers improper neutralization of input leading to XSS attacks.

This vulnerability can lead to unauthorized script execution in users' browsers, enabling attackers to steal sensitive information such as authentication cookies, perform actions on behalf of users, or redirect users to malicious websites. For organizations, this can result in compromised user accounts, data breaches, reputational damage, and potential regulatory penalties if personal data is exposed. Since the vulnerability requires user interaction, the attack surface is somewhat limited but still significant, especially for websites with high traffic or users with elevated privileges. The reflected XSS can also be used as a vector for more complex attacks like phishing or malware distribution. The medium CVSS score reflects moderate risk; however, the widespread use of WordPress and potential popularity of the Clik stats plugin could amplify impact if exploited at scale. No availability impact is expected, but confidentiality and integrity are at risk.

Organizations should immediately audit their WordPress installations for the presence of the Clik stats plugin and assess version usage. Until an official patch is released, administrators can implement web application firewall (WAF) rules to detect and block suspicious requests containing malicious payloads in the PHP_SELF parameter. Input validation and output encoding should be enforced at the application level, ideally by sanitizing the PHP_SELF variable to remove or encode special characters before rendering. Disabling or removing the plugin temporarily can mitigate risk if the plugin is not essential. Educating users about the risks of clicking unsolicited or suspicious links can reduce successful exploitation. Monitoring logs for unusual URL patterns and anomalous user activity can help detect attempted attacks. Once a patch is available, prompt application of updates is critical. Developers should adopt secure coding practices to prevent similar injection flaws in future plugin versions.