CVE-2025-13701 identifies a reflected Cross-Site Scripting (XSS) vulnerability in the beshkin Shabat Keeper plugin for WordPress, present in all versions up to and including 0.4.4. The vulnerability stems from improper neutralization of input during web page generation, specifically due to insufficient sanitization and escaping of the $_SERVER['PHP_SELF'] parameter. This parameter reflects the current script's filename and can be manipulated by an attacker to inject arbitrary JavaScript code. Because the vulnerability is reflected, the malicious script is embedded in a URL or link that, when clicked by a victim, causes the script to execute in the victim's browser context. This can lead to theft of cookies, session tokens, or other sensitive information, as well as unauthorized actions performed on behalf of the user. The vulnerability requires no authentication (AV:N) and has low attack complexity (AC:L), but does require user interaction (UI:R) such as clicking a crafted link. The scope is changed (S:C) because the vulnerability affects resources beyond the vulnerable component, potentially impacting the entire WordPress site. The CVSS 3.1 base score is 6.1, indicating medium severity with partial confidentiality and integrity impact but no availability impact. No known exploits are currently reported in the wild. The plugin is niche but may be used by communities observing Shabbat, potentially in religious or cultural websites. The lack of a patch link suggests a fix is pending or must be manually implemented by sanitizing the $_SERVER['PHP_SELF'] input and applying proper output encoding to prevent script injection.

For European organizations, the impact of this vulnerability can be significant if the Shabat Keeper plugin is used on publicly accessible WordPress sites. Successful exploitation can lead to session hijacking, credential theft, or unauthorized actions performed with the victim's privileges, undermining user trust and potentially exposing sensitive data. Organizations with websites serving religious or cultural communities that use this plugin are particularly at risk. The vulnerability can facilitate phishing campaigns by embedding malicious scripts in URLs, increasing the likelihood of user compromise. While it does not directly affect system availability, the breach of confidentiality and integrity can lead to reputational damage, regulatory penalties under GDPR if personal data is compromised, and financial losses. The medium CVSS score reflects a moderate but actionable risk that should be addressed promptly to prevent exploitation.

To mitigate CVE-2025-13701, organizations should first verify if they use the Shabat Keeper plugin and identify the version in use. Since no official patch link is provided, immediate steps include: 1) Temporarily disabling the plugin if feasible to eliminate exposure. 2) Implementing manual input validation and sanitization on the $_SERVER['PHP_SELF'] parameter within the plugin code, ensuring that any reflected input is properly escaped using secure coding practices such as PHP's htmlspecialchars() with ENT_QUOTES and UTF-8 encoding. 3) Employing a Web Application Firewall (WAF) with rules to detect and block reflected XSS attempts targeting this parameter. 4) Educating users and administrators about the risk of clicking suspicious links and encouraging cautious behavior. 5) Monitoring web server logs for unusual query strings or repeated attempts to exploit the vulnerability. 6) Once an official patch is released by the vendor, promptly apply the update. 7) Conduct regular security assessments and penetration testing focusing on input validation weaknesses in WordPress plugins.