CVE-2025-13622 is a reflected Cross-Site Scripting (XSS) vulnerability identified in the Jabbernotification plugin for WordPress, affecting all versions up to and including 0.99-RC2. The root cause is insufficient sanitization and escaping of user-supplied input in the admin.php PATH_INFO parameter. This flaw allows unauthenticated attackers to craft malicious URLs containing arbitrary JavaScript code that, when clicked by an unsuspecting user, executes in the context of the victim's browser session. The vulnerability leverages the reflected XSS vector, meaning the injected script is not stored but reflected off the server in the response. The attack requires user interaction (clicking a malicious link) but no authentication or special privileges. The impact includes potential theft of session cookies, user impersonation, and manipulation of displayed content, compromising confidentiality and integrity of user data. The CVSS 3.1 base score is 6.1, reflecting network attack vector, low attack complexity, no privileges required, user interaction needed, and partial confidentiality and integrity impact. No patches are currently published, and no known exploits have been reported in the wild. The vulnerability is particularly concerning for WordPress sites with administrative interfaces exposed to the internet, where attackers can target site administrators or privileged users. Given WordPress's widespread use in Europe, especially among SMEs and public sector websites, this vulnerability poses a tangible risk if unmitigated.

For European organizations, this vulnerability could lead to unauthorized disclosure of sensitive information such as authentication tokens or personal data through session hijacking. Attackers could also manipulate web page content to conduct phishing or social engineering attacks against employees or customers, potentially leading to further compromise. The reflected XSS nature means the attack is transient but can be highly effective against targeted users, especially administrators with elevated privileges. Public-facing WordPress sites using the vulnerable plugin are at risk of reputational damage, regulatory non-compliance (e.g., GDPR breaches due to data exposure), and operational disruption if attackers leverage the vulnerability to escalate privileges or deploy secondary attacks. The medium severity score indicates moderate risk, but the ease of exploitation and potential for user impersonation make timely mitigation critical. Organizations relying on this plugin should consider the threat significant, particularly those in sectors with high regulatory scrutiny or valuable digital assets.

1. Monitor for and apply security patches from the plugin vendor immediately upon release. 2. Until patches are available, restrict access to the admin.php endpoint using IP whitelisting or VPN access to limit exposure. 3. Deploy a Web Application Firewall (WAF) with rules to detect and block reflected XSS attack patterns, especially targeting the PATH_INFO parameter. 4. Implement Content Security Policy (CSP) headers to reduce the impact of injected scripts by restricting script execution sources. 5. Educate users, particularly administrators, about the risks of clicking unsolicited links and phishing attempts. 6. Regularly audit WordPress plugins for vulnerabilities and remove or replace unsupported or unmaintained plugins. 7. Enable multi-factor authentication (MFA) for WordPress admin accounts to mitigate the impact of session hijacking. 8. Monitor logs for suspicious requests targeting admin.php with unusual PATH_INFO values to detect exploitation attempts early.