CVE-2025-13626 is a reflected Cross-Site Scripting (XSS) vulnerability identified in the myLCO plugin for WordPress, maintained by realloc. This vulnerability affects all versions up to and including 0.8.1. The root cause is insufficient sanitization and output escaping of the $_SERVER['PHP_SELF'] parameter during web page generation. When a user accesses a URL containing malicious script code embedded in this parameter, the plugin reflects the input back into the page without proper neutralization, enabling execution of arbitrary JavaScript in the context of the victim's browser. The attack vector is remote and requires no authentication, but user interaction is necessary, typically by clicking a crafted link. The vulnerability impacts confidentiality and integrity by potentially allowing session hijacking, credential theft, or unauthorized actions performed on behalf of the user. The CVSS 3.1 score is 6.1, reflecting medium severity with network attack vector, low attack complexity, no privileges required, but requiring user interaction and affecting confidentiality and integrity with a scope change. No patches were linked at the time of reporting, and no known exploits have been observed in the wild. The vulnerability is categorized under CWE-79, a common web application security issue. Given the widespread use of WordPress in Europe and the presence of the myLCO plugin in some installations, this vulnerability represents a tangible risk to organizations running affected versions. Attackers could leverage this flaw in phishing campaigns or targeted attacks to compromise user sessions or inject malicious payloads.

For European organizations, the impact of CVE-2025-13626 can be significant, particularly for those operating public-facing WordPress websites using the myLCO plugin. Successful exploitation could lead to theft of user credentials, session cookies, or other sensitive information, undermining user trust and potentially leading to unauthorized access to internal systems if single sign-on or session reuse is in place. The reflected XSS can also be used to deliver further malware or conduct phishing attacks, increasing the attack surface. While availability is not directly impacted, the reputational damage and potential regulatory consequences under GDPR for data breaches involving personal data could be substantial. Organizations in sectors such as finance, healthcare, and government are especially at risk due to the sensitivity of their data and the regulatory environment. The medium CVSS score indicates a moderate risk, but the ease of exploitation (no authentication required) and the potential for widespread impact on website visitors elevate the threat level. European entities with large user bases or high traffic volumes are more likely to experience exploitation attempts.

Immediate mitigation steps include monitoring for suspicious URL parameters and user reports of unusual website behavior. Organizations should prioritize updating the myLCO plugin to a patched version once available from the vendor. In the absence of an official patch, applying web application firewall (WAF) rules to detect and block malicious payloads targeting the $_SERVER['PHP_SELF'] parameter can reduce risk. Implementing strict input validation and output encoding on all user-controllable inputs is critical. Deploying Content Security Policy (CSP) headers can help mitigate the impact of XSS by restricting script execution sources. Educating users about the risks of clicking on unsolicited links and employing anti-phishing technologies will reduce successful exploitation chances. Regular security audits and vulnerability scanning of WordPress plugins should be institutionalized to detect similar issues proactively. Additionally, isolating critical systems and limiting session lifetimes can minimize damage from compromised sessions.