CVE-2025-14118 identifies a reflected Cross-Site Scripting (XSS) vulnerability in the Starred Review plugin for WordPress, affecting all versions up to and including 1.4.2. The vulnerability stems from insufficient sanitization and escaping of the PHP_SELF variable during web page generation, which is a common vector for reflected XSS attacks. An unauthenticated attacker can craft a malicious URL containing executable JavaScript code embedded in the PHP_SELF variable. When a victim clicks this link, the injected script executes in the context of the victim's browser session on the vulnerable site. This can lead to theft of cookies, session tokens, or other sensitive information, as well as unauthorized actions performed on behalf of the user. The vulnerability does not require authentication but does require user interaction (clicking a malicious link). The CVSS 3.1 base score is 6.1, indicating a medium severity level, with attack vector being network (remote), low attack complexity, no privileges required, user interaction required, and scope changed due to possible impact beyond the vulnerable component. No public exploits have been reported yet, but the vulnerability is publicly disclosed and should be addressed promptly. The plugin is widely used in WordPress environments, which are prevalent in many European organizations’ web infrastructures.

For European organizations, the impact of this vulnerability can be significant, particularly for those relying on WordPress sites with the Starred Review plugin installed. The reflected XSS can lead to session hijacking, credential theft, or unauthorized actions performed under the victim's identity, potentially compromising user data confidentiality and integrity. This can damage organizational reputation, lead to regulatory non-compliance (e.g., GDPR breaches if personal data is exposed), and cause financial losses. Since the vulnerability requires user interaction, phishing campaigns could be used to exploit it, increasing risk for organizations with large user bases or customers. The availability of the website is not directly affected, but the trustworthiness and security posture of the affected web properties can be undermined. Organizations in sectors such as e-commerce, media, and public services, which heavily use WordPress, are particularly at risk.

Immediate mitigation involves removing or disabling the Starred Review plugin until a patched version is released. Organizations should monitor the vendor's announcements for updates and apply patches promptly once available. In the interim, web application firewalls (WAFs) can be configured to detect and block suspicious requests containing malicious payloads in the PHP_SELF variable. Implementing strict Content Security Policy (CSP) headers can reduce the impact of XSS by restricting script execution sources. Additionally, manual code review and patching to sanitize and escape all user-controllable inputs, especially PHP_SELF, can mitigate the vulnerability. Security awareness training should be provided to users to recognize and avoid phishing attempts that could exploit this vulnerability. Regular vulnerability scanning and penetration testing should include checks for reflected XSS issues in WordPress plugins.