The Top Position Google Finance plugin for WordPress suffers from a reflected Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-13895. This vulnerability stems from improper neutralization of user input in the $_SERVER['PHP_SELF'] variable, which is used during web page generation without adequate sanitization or output escaping. As a result, an attacker can craft a malicious URL containing executable JavaScript code that, when clicked by a victim, executes in the context of the vulnerable website. This attack vector requires no authentication but does require user interaction (clicking a link). The vulnerability affects all versions up to and including 0.1.0 of the plugin. The CVSS 3.1 base score is 6.1, reflecting a medium severity with network attack vector, low attack complexity, no privileges required, user interaction required, and impacts on confidentiality and integrity but not availability. The vulnerability allows attackers to steal session cookies, perform actions on behalf of users, or manipulate displayed content, potentially leading to phishing or further exploitation. No patches or official fixes are currently published, and no known exploits have been reported in the wild. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation.

For European organizations, especially those operating finance-related websites using WordPress with the Top Position Google Finance plugin, this vulnerability poses a risk of client-side script injection. Successful exploitation can lead to theft of sensitive user information such as session cookies, enabling account hijacking or unauthorized actions. It can also facilitate phishing attacks by altering webpage content to deceive users. While the vulnerability does not directly affect server availability, the reputational damage and potential regulatory consequences under GDPR for data breaches could be significant. Organizations with high volumes of web traffic and financial transactions are particularly at risk. The medium severity rating indicates moderate impact, but the ease of exploitation (no authentication required) increases the threat level. The lack of known exploits in the wild suggests limited current active targeting, but the vulnerability remains exploitable if discovered by attackers.

Organizations should immediately audit their WordPress installations to identify the presence of the Top Position Google Finance plugin and its version. Since no official patches are currently available, temporary mitigations include disabling or removing the plugin if feasible. If the plugin must remain active, implement strict input validation and output encoding on the $_SERVER['PHP_SELF'] variable or any user-controllable inputs to prevent script injection. Deploy Web Application Firewalls (WAFs) with rules targeting reflected XSS payloads, particularly those exploiting PHP_SELF or similar server variables. Educate users and administrators about the risks of clicking suspicious links. Monitor web logs for unusual URL patterns indicative of exploitation attempts. Stay alert for vendor updates or patches and apply them promptly once released. Additionally, consider Content Security Policy (CSP) headers to restrict script execution sources, reducing the impact of potential XSS attacks.