CVE-2025-13626 is a reflected Cross-Site Scripting (XSS) vulnerability identified in the myLCO plugin for WordPress, developed by realloc. The vulnerability exists due to improper neutralization of input during web page generation, specifically involving the $_SERVER['PHP_SELF'] parameter. This parameter is used in the plugin without adequate input sanitization or output escaping, allowing attackers to inject arbitrary JavaScript code into web pages. Since the vulnerability is reflected, the malicious script is embedded in a URL or request that the victim must interact with, typically by clicking a crafted link. The vulnerability affects all versions of myLCO up to and including 0.8.1. Exploitation does not require authentication, increasing the risk surface, but does require user interaction. The CVSS 3.1 base score is 6.1, indicating a medium severity level, with the vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, meaning network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and low impact on confidentiality and integrity, with no impact on availability. No patches or known exploits are currently available, but the vulnerability is publicly disclosed and should be addressed promptly to prevent potential attacks such as session hijacking, credential theft, or phishing.

The primary impact of this vulnerability is on the confidentiality and integrity of user data. An attacker exploiting this reflected XSS can execute arbitrary scripts in the context of the victim's browser, potentially stealing session cookies, redirecting users to malicious sites, or performing actions on behalf of the user. Although availability is not affected, the compromise of user sessions or credentials can lead to further attacks within the affected WordPress site or connected systems. Organizations using the myLCO plugin are at risk of reputational damage, loss of user trust, and potential regulatory consequences if user data is compromised. Since the vulnerability requires user interaction, the impact depends on the success of social engineering efforts. The scope is significant because WordPress powers a large portion of websites globally, and the myLCO plugin may be used in diverse sectors, including small businesses, blogs, and possibly larger enterprises. Without mitigation, attackers could leverage this vulnerability to conduct targeted phishing campaigns or broader attacks against site visitors.

1. Immediate upgrade: Organizations should update the myLCO plugin to a version that addresses this vulnerability once released by realloc. 2. Input validation and output encoding: Developers should ensure that all user-controllable inputs, especially $_SERVER['PHP_SELF'], are properly sanitized and escaped before rendering in HTML contexts. 3. Web Application Firewall (WAF): Deploy a WAF with rules to detect and block reflected XSS payloads targeting the affected plugin. 4. Content Security Policy (CSP): Implement strict CSP headers to restrict execution of unauthorized scripts and reduce the impact of XSS attacks. 5. User awareness: Educate users about the risks of clicking suspicious links, especially those that appear to come from untrusted sources. 6. Monitoring and logging: Enable detailed logging of web requests to detect suspicious activity indicative of attempted exploitation. 7. Disable or restrict the plugin temporarily if patching is not immediately possible, especially on high-risk or public-facing sites. 8. Regular security assessments: Conduct periodic vulnerability scans and penetration tests focusing on plugins and third-party components.