CVE-2025-13893 is a reflected cross-site scripting vulnerability identified in the Lesson Plan Book plugin for WordPress, developed by burtrw. This vulnerability affects all versions up to and including 1.3 and is caused by improper neutralization of input during web page generation, specifically via the $_SERVER['PHP_SELF'] variable. The plugin fails to adequately sanitize and escape this server variable before embedding it into web pages, allowing attackers to craft URLs containing malicious JavaScript code. When a user clicks such a link, the injected script executes in the context of the victim's browser, potentially leading to session hijacking, defacement, or redirection to malicious sites. The vulnerability requires no authentication (AV:N), has low attack complexity (AC:L), but requires user interaction (UI:R). The scope is changed (S:C) because the vulnerability can affect resources beyond the vulnerable component. The impact on confidentiality and integrity is low (C:L, I:L), with no impact on availability. No known exploits are currently reported in the wild, but the vulnerability is publicly disclosed and assigned a CVSS 3.1 score of 6.1, indicating medium severity. The vulnerability is categorized under CWE-79, a common web application security weakness. The lack of patches at the time of disclosure increases the urgency for mitigation through alternative means.

For European organizations, particularly educational institutions and entities using WordPress with the Lesson Plan Book plugin, this vulnerability poses a risk of session hijacking, credential theft, and unauthorized actions performed on behalf of users. Attackers can exploit this vulnerability to inject malicious scripts that may steal cookies or tokens, manipulate displayed content, or redirect users to phishing sites. This can lead to data breaches, loss of user trust, and potential regulatory non-compliance under GDPR if personal data is compromised. The reflected nature of the XSS means the attack vector relies on social engineering to trick users into clicking malicious links, increasing the risk in environments with less cybersecurity awareness. The vulnerability does not directly affect system availability but can undermine the integrity and confidentiality of user sessions and data. Given the widespread use of WordPress in Europe and the popularity of educational plugins, the potential attack surface is significant.

1. Monitor for and apply official patches or updates from the plugin vendor as soon as they become available. 2. In the absence of patches, implement Web Application Firewalls (WAFs) with rules specifically targeting reflected XSS patterns, especially those involving the PHP_SELF variable. 3. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected sites. 4. Sanitize and validate all user-controllable inputs at the application level, ensuring that server variables like PHP_SELF are properly escaped before output. 5. Educate users and staff about the risks of clicking suspicious links, particularly those received via email or messaging platforms. 6. Conduct regular security audits and penetration testing focusing on XSS vulnerabilities in WordPress plugins. 7. Consider disabling or replacing the vulnerable plugin with a more secure alternative if immediate patching is not feasible. 8. Enable HTTP-only and secure flags on cookies to reduce the risk of session theft via XSS.