CVE-2025-13701 identifies a reflected Cross-Site Scripting (XSS) vulnerability in the Shabat Keeper plugin for WordPress, affecting all versions up to and including 0.4.4. The root cause is insufficient sanitization and output escaping of the $_SERVER['PHP_SELF'] parameter during web page generation. This parameter, which contains the current script's filename, can be manipulated by an attacker to inject arbitrary JavaScript code. When a victim clicks a crafted URL containing malicious payloads in the PHP_SELF parameter, the injected script executes in the context of the victim's browser, potentially allowing session hijacking, credential theft, or unauthorized actions on behalf of the user. The vulnerability is exploitable remotely without authentication but requires user interaction (clicking a malicious link). The CVSS 3.1 base score is 6.1, reflecting medium severity with low attack complexity and no privileges required, but user interaction needed. The vulnerability affects the confidentiality and integrity of user data but does not impact availability. No patches or official fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation leading to XSS.

The primary impact of this vulnerability is the compromise of user confidentiality and integrity through the execution of arbitrary scripts in the victim's browser. This can lead to theft of cookies, session tokens, or other sensitive information, enabling attackers to impersonate users or perform unauthorized actions within the affected WordPress site. While availability is not directly affected, successful exploitation can undermine user trust and site reputation. Organizations running the Shabat Keeper plugin on WordPress sites, especially those with high user interaction or sensitive data, face increased risk of targeted phishing or social engineering attacks leveraging this vulnerability. The lack of authentication requirement broadens the attack surface, and the need for user interaction means that social engineering is a key exploitation vector. The absence of known exploits in the wild suggests limited current active exploitation, but the medium severity score indicates that the vulnerability should be addressed promptly to prevent future attacks.

1. Immediate mitigation involves updating the Shabat Keeper plugin to a patched version once available. Since no patch links are currently provided, organizations should monitor vendor announcements closely. 2. As an interim measure, implement web application firewall (WAF) rules to detect and block suspicious requests containing malicious payloads in the PHP_SELF parameter. 3. Employ strict input validation and output encoding on all user-controllable inputs, especially those reflected in web pages. 4. Educate users about the risks of clicking unknown or suspicious links to reduce the likelihood of successful social engineering. 5. Review and harden Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce XSS impact. 6. Conduct regular security assessments and penetration testing focused on XSS vulnerabilities in WordPress plugins. 7. Disable or remove the Shabat Keeper plugin if it is not essential to reduce attack surface until a fix is available.