CVE-2025-13625 is a reflected Cross-Site Scripting (XSS) vulnerability identified in the WP-SOS-Donate Donation Sidebar Plugin for WordPress, affecting all versions up to and including 0.9.2. The vulnerability stems from improper neutralization of input during web page generation, specifically via the $_SERVER['PHP_SELF'] parameter. This parameter is used in the plugin without adequate sanitization or output escaping, allowing attackers to inject arbitrary JavaScript code into web pages. When a victim clicks a crafted URL containing malicious script code embedded in the PHP_SELF parameter, the injected script executes in the victim's browser context. This can lead to theft of session cookies, defacement, or unauthorized actions performed with the victim's privileges. The vulnerability requires no authentication (AV:N), has low attack complexity (AC:L), no privileges required (PR:N), but requires user interaction (UI:R). The scope is changed (S:C) because the attack can affect other users' data or sessions. The impact affects confidentiality and integrity (C:L/I:L) but not availability (A:N). Although no known exploits are reported in the wild, the vulnerability is publicly disclosed and can be weaponized by attackers targeting WordPress sites using this plugin. The plugin is commonly used by organizations to facilitate donations, making it a potential target for attackers aiming to compromise donor data or disrupt fundraising activities. The CVSS score of 6.1 reflects a medium severity level, indicating a significant but not critical risk. The vulnerability highlights the importance of proper input validation and output encoding in web applications, especially plugins that handle user input or URL parameters. The lack of a patch link suggests that a fix may not yet be available, emphasizing the need for interim protective measures.

For European organizations, this vulnerability poses a moderate risk primarily to websites running WordPress with the WP-SOS-Donate plugin. Successful exploitation can lead to theft of sensitive user data such as session cookies, enabling account hijacking or unauthorized actions on behalf of users. This can damage organizational reputation, erode donor trust, and potentially lead to financial loss or regulatory scrutiny under GDPR due to compromised personal data. The reflected XSS nature means the attack requires user interaction, typically through phishing or social engineering, which can be effective against donors or staff. Nonprofit organizations and charities in Europe that rely on online donations are particularly vulnerable, as attackers may target them to disrupt fundraising or steal donor information. Additionally, the vulnerability could be leveraged as a stepping stone for more complex attacks, including delivering malware or redirecting users to malicious sites. Given the medium CVSS score and the lack of known exploits, the immediate risk is moderate but could escalate if exploit code becomes available. The impact on availability is minimal, but confidentiality and integrity risks are significant enough to warrant prompt attention.

European organizations should implement the following specific measures: 1) Monitor the plugin vendor’s announcements and apply patches immediately once available; 2) If no patch is available, consider temporarily disabling the WP-SOS-Donate plugin or replacing it with alternative donation plugins that are actively maintained and secure; 3) Deploy Web Application Firewall (WAF) rules tailored to detect and block malicious payloads targeting the PHP_SELF parameter or typical reflected XSS patterns; 4) Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers; 5) Conduct user awareness training focused on phishing and social engineering to reduce the likelihood of users clicking malicious links; 6) Regularly audit and sanitize all user-controllable inputs in custom or third-party plugins; 7) Use security plugins that scan for vulnerabilities and suspicious activity on WordPress sites; 8) Employ multi-factor authentication (MFA) for administrative access to reduce the impact of session hijacking; 9) Monitor web server and application logs for unusual requests that may indicate exploitation attempts; 10) Engage in regular security assessments and penetration testing to identify and remediate similar vulnerabilities proactively.