CVE-2025-13676 identifies a reflected Cross-Site Scripting vulnerability in the JustClick registration plugin for WordPress, maintained by ostin654. The vulnerability exists in all versions up to and including 0.1 due to insufficient sanitization and output escaping of the PHP_SELF server variable during web page generation. This improper neutralization of input (CWE-79) allows unauthenticated attackers to craft malicious URLs containing executable JavaScript code. When a victim clicks such a link, the injected script executes in their browser context, potentially leading to session hijacking, credential theft, or other malicious actions. The vulnerability does not require authentication but does require user interaction (clicking the malicious link). The CVSS 3.1 base score of 6.1 reflects a network attack vector, low attack complexity, no privileges required, user interaction required, and impacts confidentiality and integrity with scope changed due to the reflected nature of the attack. No patches are currently available, and no exploits have been reported in the wild. The flaw highlights a common web security issue where server variables like PHP_SELF are used insecurely without proper sanitization or encoding, exposing web applications to XSS attacks.

The primary impact of this vulnerability is the compromise of user confidentiality and integrity on websites using the JustClick registration plugin. Attackers can steal session cookies, deface web content, or redirect users to malicious sites by injecting scripts. This can lead to account takeover, phishing, or distribution of malware. Although availability is not affected, the trustworthiness of affected websites can be severely damaged, resulting in reputational harm and potential legal consequences under data protection regulations. Organizations relying on this plugin for user registration or interaction may face increased risk of targeted attacks, especially if their user base is large or includes high-value targets. The vulnerability's exploitation requires user interaction, which may limit widespread automated attacks but remains a significant risk through social engineering campaigns.

Organizations should immediately audit their WordPress installations to identify the presence of the JustClick registration plugin. Until an official patch is released, administrators should consider disabling or removing the plugin to eliminate exposure. Developers maintaining the plugin must implement proper input validation and output encoding for the PHP_SELF variable, using secure coding practices such as htmlspecialchars or equivalent functions to neutralize script injection. Employing Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources. Web Application Firewalls (WAFs) should be configured to detect and block common XSS payloads targeting PHP_SELF or reflected parameters. Additionally, educating users about the risks of clicking suspicious links can reduce successful exploitation. Monitoring web logs for unusual URL patterns referencing PHP_SELF may help detect attempted attacks.