The Nouri.sh Newsletter plugin for WordPress, maintained by danrajkumar, suffers from a reflected Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-13515. This vulnerability exists in all versions up to and including 1.0.1.3 due to insufficient input sanitization and output escaping of the $_SERVER['PHP_SELF'] parameter. When a user visits a specially crafted URL containing malicious script code injected into this parameter, the plugin reflects the input unsafely in the generated web page, causing the victim's browser to execute the injected script. This type of XSS is classified under CWE-79, which involves improper neutralization of input during web page generation. The attack vector is remote with no privileges required, but it necessitates user interaction, such as clicking a malicious link. The vulnerability affects confidentiality and integrity by enabling theft of session cookies, credentials, or performing actions on behalf of the user, but it does not impact system availability. The CVSS v3.1 base score is 6.1, indicating medium severity. No patches or fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability's scope is limited to websites running the affected plugin versions, primarily WordPress sites using Nouri.sh Newsletter.

This vulnerability can lead to unauthorized disclosure of sensitive information such as session cookies or authentication tokens, enabling attackers to hijack user sessions or impersonate users. It can also facilitate phishing attacks by injecting malicious scripts that alter webpage content or redirect users to malicious sites. While it does not directly impact system availability, the compromise of user accounts or administrative sessions can lead to further exploitation or data breaches. Organizations relying on the Nouri.sh Newsletter plugin expose their users to these risks, potentially damaging reputation and trust. The medium severity reflects the balance between ease of exploitation and the requirement for user interaction. The impact is especially significant for websites with high user engagement or those handling sensitive user data.

Administrators should immediately review their use of the Nouri.sh Newsletter plugin and upgrade to a patched version once available. In the absence of an official patch, applying web application firewall (WAF) rules to detect and block malicious payloads targeting the $_SERVER['PHP_SELF'] parameter can reduce risk. Input validation and output encoding should be implemented at the application level to sanitize user-supplied data before rendering. Additionally, educating users to avoid clicking suspicious links and employing Content Security Policy (CSP) headers can mitigate the impact of XSS attacks. Regular security audits and monitoring for unusual user activity can help detect exploitation attempts. Disabling or replacing the vulnerable plugin with a secure alternative is advisable if patches are delayed.