CVE-2025-13624 identifies a reflected Cross-Site Scripting vulnerability in the Overstock Affiliate Links plugin for WordPress, developed by travishoki. The vulnerability stems from improper neutralization of input during web page generation, specifically via the $_SERVER['PHP_SELF'] parameter, which is not adequately sanitized or escaped before being output. This allows an unauthenticated attacker to craft a malicious URL containing executable JavaScript code. When a victim clicks this link, the injected script executes in their browser context, potentially leading to session hijacking, credential theft, or other malicious actions that compromise user confidentiality and integrity. The vulnerability affects all versions up to and including 1.1 of the plugin. The CVSS 3.1 base score is 6.1, reflecting network attack vector, low attack complexity, no privileges required, but user interaction is necessary. The scope is changed because the vulnerability affects user data and session integrity. No known exploits have been reported in the wild yet, but the widespread use of WordPress and affiliate marketing plugins increases the risk of exploitation. The vulnerability is categorized under CWE-79, which covers improper input neutralization leading to XSS. Since no official patch links are currently available, users must monitor vendor updates and apply fixes promptly once released.

The primary impact of this vulnerability is on the confidentiality and integrity of users interacting with affected WordPress sites using the Overstock Affiliate Links plugin. Attackers can execute arbitrary scripts in the context of the victim’s browser, potentially stealing session cookies, redirecting users to malicious sites, or performing actions on behalf of the user. This can lead to account compromise, unauthorized transactions, or data leakage. Although availability is not directly impacted, the reputational damage and loss of customer trust can be significant for affected organizations. E-commerce and affiliate marketing websites are particularly at risk, as attackers may leverage this vulnerability to manipulate affiliate links or conduct phishing campaigns. The vulnerability’s exploitation requires user interaction, which may limit automated widespread attacks but targeted spear-phishing or social engineering campaigns could be effective. Organizations worldwide using this plugin should consider the risk to their customer base and data privacy obligations.

1. Monitor the travishoki plugin repository and official WordPress plugin updates for a security patch addressing CVE-2025-13624 and apply it immediately upon release. 2. Until a patch is available, implement web application firewall (WAF) rules to detect and block suspicious requests containing malicious payloads targeting the $_SERVER['PHP_SELF'] parameter. 3. Employ strict input validation and output encoding on all user-controllable inputs, especially those reflected in web pages, to prevent script injection. 4. Educate users and administrators about the risks of clicking untrusted links and encourage cautious behavior regarding affiliate links. 5. Conduct regular security audits and penetration testing focusing on plugin vulnerabilities and input sanitization. 6. Consider temporarily disabling or replacing the Overstock Affiliate Links plugin with a more secure alternative if immediate patching is not feasible. 7. Use Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected sites, mitigating the impact of potential XSS attacks.