CVE-2025-13625 identifies a reflected Cross-Site Scripting (XSS) vulnerability in the WP-SOS-Donate Donation Sidebar Plugin for WordPress, maintained by switch2mac. The vulnerability exists due to improper neutralization of input during web page generation, specifically through the $_SERVER['PHP_SELF'] parameter. This parameter is used in the plugin without adequate sanitization or output escaping, enabling attackers to inject arbitrary JavaScript code into the web pages generated by the plugin. Because the vulnerability is reflected, the malicious payload is embedded in a crafted URL that, when visited by a user, causes the injected script to execute in the context of the victim's browser session. This can lead to theft of cookies, session tokens, or other sensitive information, as well as potential manipulation of the webpage content. The vulnerability affects all versions up to and including 0.9.2 of the plugin. It requires no authentication but does require user interaction (clicking a malicious link). The CVSS v3.1 base score is 6.1, reflecting medium severity with network attack vector, low attack complexity, no privileges required, user interaction required, and impacts on confidentiality and integrity but not availability. No public exploits have been reported yet. The plugin is commonly used on WordPress sites to facilitate donations, making it a target for attackers aiming to compromise donation platforms or their users. The reflected XSS nature means that phishing campaigns or social engineering could be used to exploit this vulnerability effectively.

For European organizations, particularly nonprofits, charities, and fundraising platforms using WordPress with the WP-SOS-Donate plugin, this vulnerability poses a risk to user data confidentiality and website integrity. Attackers could steal session cookies or credentials, potentially leading to account takeover or unauthorized actions on the site. The trustworthiness of donation platforms could be undermined, damaging reputation and donor confidence. While availability is not directly impacted, the indirect consequences of data theft or site defacement could disrupt operations. Given the widespread use of WordPress in Europe and the popularity of donation plugins, the scope of affected systems could be significant. The requirement for user interaction means targeted phishing or social engineering campaigns could be effective, increasing the risk to end users. The medium severity score reflects a moderate but meaningful threat that should be addressed promptly to prevent exploitation.

Organizations should monitor for an official patch or update from switch2mac and apply it immediately once available. Until a patch is released, administrators can implement web application firewall (WAF) rules to detect and block suspicious requests containing malicious payloads targeting the $_SERVER['PHP_SELF'] parameter. Manual code review and modification to sanitize and properly escape all user-controllable inputs, especially $_SERVER['PHP_SELF'], can mitigate the vulnerability. Employing Content Security Policy (CSP) headers can reduce the impact of XSS by restricting script execution sources. Educating users about phishing risks and suspicious links can reduce the likelihood of successful exploitation. Regular security scanning and penetration testing focused on XSS vulnerabilities in WordPress plugins should be conducted. Additionally, limiting plugin usage to trusted and necessary components reduces the attack surface.