CVE-2025-13895 identifies a reflected Cross-Site Scripting (XSS) vulnerability in the Top Position Google Finance plugin for WordPress, present in all versions up to and including 0.1.0. The vulnerability stems from the plugin's failure to properly sanitize and escape the $_SERVER['PHP_SELF'] server variable when generating web pages. This variable can be manipulated by an attacker to inject arbitrary JavaScript code into the page output. Because the vulnerability is reflected, the malicious script is embedded in a crafted URL that, when clicked by a user, causes the script to execute in the context of the vulnerable website. The attack requires no authentication but does require user interaction (clicking a malicious link). The impact includes potential theft of user session cookies, defacement, or redirection to malicious sites, compromising confidentiality and integrity of user data. The CVSS 3.1 base score is 6.1, indicating medium severity with network attack vector, low attack complexity, no privileges required, user interaction needed, and scope changed due to potential impact on user sessions. No patches or official fixes are currently available, and no exploits have been observed in the wild. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation leading to XSS.

The primary impact of CVE-2025-13895 is the potential compromise of user confidentiality and integrity on websites using the vulnerable Top Position Google Finance plugin. Attackers can steal session cookies, enabling account hijacking, or manipulate page content to perform phishing or deliver malware. While availability is not directly affected, the reputational damage and loss of user trust can be significant. Since the vulnerability requires user interaction, the scope is limited to users who click malicious links, but given the widespread use of WordPress and the plugin's focus on financial data, targeted attacks could affect financial institutions, investment firms, and financial news websites. Organizations worldwide that rely on this plugin risk exposure to data theft, unauthorized actions on behalf of users, and potential regulatory consequences if user data is compromised.

To mitigate CVE-2025-13895, organizations should immediately audit their WordPress installations for the presence of the Top Position Google Finance plugin and its version. If possible, update to a patched version once released by the vendor. In the absence of an official patch, implement manual input validation and output encoding on the $_SERVER['PHP_SELF'] variable to neutralize malicious input. Employ Web Application Firewalls (WAFs) with rules targeting reflected XSS patterns specific to this plugin. Educate users to avoid clicking suspicious links and implement Content Security Policy (CSP) headers to restrict script execution sources. Additionally, monitor web logs for unusual URL patterns that may indicate exploitation attempts. Regularly review plugin security advisories and subscribe to vulnerability feeds to apply updates promptly.