The myLCO WordPress plugin, developed by realloc, suffers from a reflected Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-13626. This vulnerability stems from improper neutralization of input during web page generation, specifically through the $_SERVER['PHP_SELF'] parameter. Versions up to and including 0.8.1 fail to sufficiently sanitize and escape this input, allowing attackers to inject arbitrary JavaScript code into web pages. Because the vulnerability is reflected, the malicious payload is embedded in a crafted URL that, when clicked by a user, causes the injected script to execute within the context of the vulnerable site. The attack does not require authentication but does require user interaction (clicking a malicious link). The CVSS 3.1 score of 6.1 reflects a medium severity, with an attack vector of network (remote), low attack complexity, no privileges required, but user interaction needed. The scope is changed, indicating that the vulnerability can affect resources beyond the vulnerable component. The impact affects confidentiality and integrity by enabling theft of session cookies, user impersonation, or manipulation of page content, but does not impact availability. No patches or exploits in the wild are currently reported, but the vulnerability is publicly disclosed and should be considered exploitable. The vulnerability is classified under CWE-79, a common web application security flaw. Given WordPress’s widespread use across Europe, especially in small to medium enterprises and public sector websites, the vulnerability poses a tangible risk to organizations relying on the myLCO plugin for functionality. Attackers could leverage this to conduct phishing, session hijacking, or deliver secondary payloads. The lack of current patches necessitates proactive mitigation strategies.

For European organizations, the reflected XSS vulnerability in myLCO can lead to significant confidentiality and integrity breaches. Attackers can steal session cookies, enabling account takeover or unauthorized actions on behalf of users. This is particularly critical for organizations handling sensitive user data, financial transactions, or personal information. Public sector websites, e-commerce platforms, and customer portals using the vulnerable plugin are at risk of reputational damage and regulatory penalties under GDPR if user data is compromised. The requirement for user interaction means social engineering campaigns could be effective, increasing the risk to end users. Although availability is not impacted, the indirect effects of trust erosion and potential data breaches can have severe operational and legal consequences. The vulnerability’s medium severity suggests it is a moderate but actionable threat, especially in environments where the plugin is widely deployed and users are less security-aware.

1. Monitor for official patches or updates from realloc and apply them immediately once available. 2. In the absence of patches, implement Web Application Firewalls (WAFs) with rules specifically designed to detect and block reflected XSS payloads targeting the $_SERVER['PHP_SELF'] parameter. 3. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected web pages. 4. Sanitize and validate all user inputs and server variables in custom code or plugin extensions to prevent injection. 5. Educate users and staff about the risks of clicking on suspicious links, especially those received via email or social media. 6. Conduct regular security audits and penetration tests focusing on web application vulnerabilities. 7. Consider temporarily disabling or replacing the myLCO plugin with alternative solutions until a secure version is released. 8. Monitor web server logs for unusual requests that may indicate exploitation attempts. 9. Use security plugins for WordPress that provide XSS protection and input sanitization enhancements.