CVE-2025-13624 identifies a reflected Cross-Site Scripting (XSS) vulnerability in the Overstock Affiliate Links plugin for WordPress, affecting all versions up to and including 1.1. The root cause is insufficient input sanitization and output escaping of the $_SERVER['PHP_SELF'] parameter during web page generation. This parameter reflects the current script's filename and can be manipulated by attackers to inject arbitrary JavaScript code. Because the vulnerability is reflected, exploitation requires an attacker to craft a malicious URL containing the payload and convince a user to click it. Upon visiting the crafted URL, the injected script executes in the context of the vulnerable website, potentially allowing theft of session cookies, redirection to malicious sites, or unauthorized actions on behalf of the user. The vulnerability does not require authentication (PR:N) but does require user interaction (UI:R). The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) indicates network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and low impact on confidentiality and integrity, with no impact on availability. No patches or known exploits are currently available, but the vulnerability is publicly disclosed. This type of XSS is common in WordPress plugins that fail to properly sanitize server variables before outputting them in HTML contexts, making it a critical concern for websites relying on this plugin for affiliate marketing functionality.

For European organizations, especially those operating e-commerce or affiliate marketing websites using WordPress with the Overstock Affiliate Links plugin, this vulnerability poses a risk to user confidentiality and data integrity. Attackers could steal session cookies or credentials, leading to account compromise or unauthorized transactions. The reflected XSS could also be used for phishing campaigns or to distribute malware by redirecting users to malicious sites. Although availability is not directly impacted, the reputational damage and potential regulatory consequences under GDPR for failing to protect user data could be significant. Organizations with high traffic or sensitive user data are at greater risk. The vulnerability's exploitation requires user interaction, limiting automated widespread attacks but still posing a targeted threat. The absence of known exploits in the wild suggests a window of opportunity for proactive mitigation.

European organizations should immediately audit their WordPress installations to identify the presence of the Overstock Affiliate Links plugin. Until an official patch is released, administrators should consider disabling or removing the plugin to eliminate exposure. If removal is not feasible, applying manual input validation and output escaping on the $_SERVER['PHP_SELF'] parameter within the plugin code can mitigate the risk. Employing Web Application Firewalls (WAFs) with rules to detect and block reflected XSS payloads targeting this parameter can provide additional protection. Organizations should also educate users about the risks of clicking suspicious links and monitor web traffic for unusual patterns. Regularly updating WordPress core, themes, and plugins remains essential. Finally, implementing Content Security Policy (CSP) headers can reduce the impact of XSS by restricting script execution origins.