CVE-2025-13625 identifies a reflected Cross-Site Scripting (XSS) vulnerability in the WP-SOS-Donate Donation Sidebar Plugin for WordPress, maintained by switch2mac. The vulnerability stems from improper neutralization of input during web page generation, specifically via the $_SERVER['PHP_SELF'] parameter, which is used without adequate sanitization or output escaping. This allows an unauthenticated attacker to craft a malicious URL containing executable JavaScript code that, when clicked by a victim, executes in the context of the vulnerable website. The plugin versions up to and including 0.9.2 are affected. The vulnerability is classified under CWE-79, indicating a failure to properly sanitize user-controllable input. The CVSS 3.1 base score is 6.1, reflecting a medium severity with network attack vector, low attack complexity, no privileges required, but requiring user interaction. The scope is changed (S:C) because the vulnerability can affect resources beyond the vulnerable component, potentially impacting user confidentiality and integrity. No known exploits have been reported in the wild as of the publication date. The vulnerability primarily risks the confidentiality and integrity of user data by enabling session hijacking, phishing, or defacement attacks. The plugin is commonly used on WordPress sites that accept donations, often public-facing, increasing exposure. The lack of a patch at the time of reporting necessitates interim mitigation strategies.

The impact of CVE-2025-13625 includes potential theft of sensitive user information such as session cookies, enabling attackers to impersonate users or administrators. Attackers can also manipulate web page content to conduct phishing attacks or spread malware. Although availability is not directly affected, the trustworthiness and integrity of affected websites can be severely compromised, leading to reputational damage and loss of donor confidence. Organizations relying on the WP-SOS-Donate plugin for fundraising or donation management face risks of unauthorized access and data leakage. The vulnerability's ease of exploitation—requiring only a crafted URL and user interaction—makes it a practical threat, especially for sites with high visitor traffic. The scope change means that the impact can extend beyond the plugin itself, affecting the entire WordPress site and its users. This can have cascading effects on organizational security posture and compliance with data protection regulations.

Organizations should prioritize updating the WP-SOS-Donate plugin to a patched version once released by the vendor. Until a patch is available, implement strict input validation and output encoding for the $_SERVER['PHP_SELF'] parameter to neutralize malicious scripts. Employ Web Application Firewalls (WAFs) with rules designed to detect and block reflected XSS attempts targeting this parameter. Educate users and administrators about the risks of clicking suspicious links, especially those purporting to originate from trusted donation sites. Review and harden Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of XSS. Conduct regular security audits and penetration testing focused on input handling in WordPress plugins. Disable or remove the WP-SOS-Donate plugin if it is not essential, or replace it with alternative donation plugins with a stronger security track record. Monitor web server logs for unusual requests to the PHP_SELF parameter that may indicate exploitation attempts.