The CSV Sumotto plugin for WordPress suffers from a reflected Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-13894. This vulnerability is due to improper neutralization of input during web page generation, specifically involving the $_SERVER['PHP_SELF'] variable. The plugin fails to adequately sanitize and escape this input, which is directly reflected in the generated web pages. An unauthenticated attacker can exploit this by crafting a malicious URL containing executable JavaScript code embedded in the PHP_SELF variable. When a victim clicks this link, the injected script executes in their browser context, potentially leading to session hijacking, theft of cookies or credentials, or other malicious client-side actions. The vulnerability affects all versions up to and including 1.0 of CSV Sumotto. The CVSS 3.1 score of 6.1 reflects a medium severity, with an attack vector of network (remote), low attack complexity, no privileges required, but requiring user interaction. The scope is changed because the vulnerability affects user data confidentiality and integrity. No patches have been released at the time of this report, and no known exploits are currently in the wild. The vulnerability is classified under CWE-79, a common and well-understood web application security issue. Given the widespread use of WordPress and its plugins, this vulnerability poses a notable risk to websites using CSV Sumotto, especially those that do not implement additional security controls.

The primary impact of this vulnerability is on the confidentiality and integrity of user data. Successful exploitation can lead to theft of session cookies, enabling attackers to impersonate legitimate users or administrators. This can result in unauthorized access to sensitive information or administrative functions. Additionally, attackers may execute arbitrary scripts to perform actions on behalf of users, such as changing settings or injecting further malicious content. Although availability is not directly affected, the resulting compromise can lead to reputational damage, loss of customer trust, and potential regulatory penalties for organizations. Since the vulnerability requires user interaction, the attack surface is somewhat limited, but phishing or social engineering campaigns can increase the risk. Organizations running websites with this plugin are at risk of targeted attacks, especially if they handle sensitive user data or financial transactions.

Organizations should immediately audit their WordPress installations to identify the presence of the CSV Sumotto plugin. Until an official patch is released, administrators should consider disabling or uninstalling the plugin to eliminate the vulnerability. Implementing strict input validation and output encoding on all user-controllable inputs, especially those reflected in web pages, is critical. Employing a Web Application Firewall (WAF) with rules to detect and block reflected XSS payloads targeting the PHP_SELF variable can provide interim protection. Educating users about the risks of clicking suspicious links and implementing Content Security Policy (CSP) headers can reduce the impact of potential attacks. Monitoring web server logs for unusual requests containing script tags or suspicious URL parameters can help detect exploitation attempts. Once a patch is available, prompt application and testing are essential. Additionally, adopting a secure development lifecycle that includes regular security testing of plugins can prevent similar issues.