CVE-2025-14118: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in callumalden Starred Review
CVE-2025-14118 is a reflected Cross-Site Scripting (XSS) vulnerability in the Starred Review WordPress plugin up to version 1. 4. 2. It arises from improper sanitization of the PHP_SELF variable, allowing unauthenticated attackers to inject malicious scripts via crafted URLs. Exploitation requires tricking users into clicking malicious links, leading to script execution in their browsers. The vulnerability impacts confidentiality and integrity but not availability, with a CVSS score of 6. 1 (medium severity). No known exploits are currently reported in the wild. European organizations using this plugin on WordPress sites are at risk, especially those with public-facing review features. Mitigation involves updating the plugin once a patch is released or applying manual input sanitization and output escaping.
AI Analysis
Technical Summary
CVE-2025-14118 is a reflected Cross-Site Scripting (XSS) vulnerability identified in the Starred Review plugin for WordPress, affecting all versions up to and including 1.4.2. The root cause is insufficient sanitization and output escaping of the PHP_SELF variable during web page generation. PHP_SELF contains the filename of the currently executing script and can be manipulated via the URL. Because the plugin fails to neutralize this input properly, an attacker can craft a malicious URL containing executable JavaScript code. When a user clicks this URL, the injected script executes in the context of the victim's browser, potentially stealing session cookies, performing actions on behalf of the user, or redirecting to malicious sites. The vulnerability is exploitable remotely without authentication but requires user interaction (clicking a malicious link). The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) indicates network attack vector, low attack complexity, no privileges required, user interaction needed, scope change, and low impact on confidentiality and integrity, with no impact on availability. No public exploits are known yet, but the vulnerability poses a significant risk to websites using this plugin, especially those with public review features that attract user interaction.
Potential Impact
For European organizations, this vulnerability can lead to unauthorized disclosure of user session information and manipulation of user interactions on affected WordPress sites. This can result in account hijacking, unauthorized actions performed under a user's credentials, and reputational damage. E-commerce platforms, online communities, and service providers relying on the Starred Review plugin for customer feedback are particularly at risk. The reflected XSS can be used as a vector for phishing attacks targeting European users, potentially bypassing some security controls due to the trusted nature of the affected sites. While the vulnerability does not directly impact system availability, the loss of confidentiality and integrity can have severe business consequences, including regulatory penalties under GDPR if personal data is compromised.
Mitigation Recommendations
Immediate mitigation involves monitoring for an official patch from the plugin vendor and applying it promptly once available. Until a patch is released, organizations should implement manual input validation and output encoding for the PHP_SELF variable within the plugin code to neutralize malicious input. Web Application Firewalls (WAFs) can be configured to detect and block suspicious URL patterns exploiting PHP_SELF. Educating users about the risks of clicking untrusted links can reduce successful exploitation. Additionally, organizations should audit their WordPress installations to identify the presence of the Starred Review plugin and consider disabling or replacing it with a secure alternative if timely patching is not feasible. Regular security scanning and penetration testing focused on XSS vulnerabilities are recommended to detect similar issues proactively.
Affected Countries
Germany, United Kingdom, France, Netherlands, Italy, Spain
CVE-2025-14118: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in callumalden Starred Review
Description
CVE-2025-14118 is a reflected Cross-Site Scripting (XSS) vulnerability in the Starred Review WordPress plugin up to version 1. 4. 2. It arises from improper sanitization of the PHP_SELF variable, allowing unauthenticated attackers to inject malicious scripts via crafted URLs. Exploitation requires tricking users into clicking malicious links, leading to script execution in their browsers. The vulnerability impacts confidentiality and integrity but not availability, with a CVSS score of 6. 1 (medium severity). No known exploits are currently reported in the wild. European organizations using this plugin on WordPress sites are at risk, especially those with public-facing review features. Mitigation involves updating the plugin once a patch is released or applying manual input sanitization and output escaping.
AI-Powered Analysis
Technical Analysis
CVE-2025-14118 is a reflected Cross-Site Scripting (XSS) vulnerability identified in the Starred Review plugin for WordPress, affecting all versions up to and including 1.4.2. The root cause is insufficient sanitization and output escaping of the PHP_SELF variable during web page generation. PHP_SELF contains the filename of the currently executing script and can be manipulated via the URL. Because the plugin fails to neutralize this input properly, an attacker can craft a malicious URL containing executable JavaScript code. When a user clicks this URL, the injected script executes in the context of the victim's browser, potentially stealing session cookies, performing actions on behalf of the user, or redirecting to malicious sites. The vulnerability is exploitable remotely without authentication but requires user interaction (clicking a malicious link). The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) indicates network attack vector, low attack complexity, no privileges required, user interaction needed, scope change, and low impact on confidentiality and integrity, with no impact on availability. No public exploits are known yet, but the vulnerability poses a significant risk to websites using this plugin, especially those with public review features that attract user interaction.
Potential Impact
For European organizations, this vulnerability can lead to unauthorized disclosure of user session information and manipulation of user interactions on affected WordPress sites. This can result in account hijacking, unauthorized actions performed under a user's credentials, and reputational damage. E-commerce platforms, online communities, and service providers relying on the Starred Review plugin for customer feedback are particularly at risk. The reflected XSS can be used as a vector for phishing attacks targeting European users, potentially bypassing some security controls due to the trusted nature of the affected sites. While the vulnerability does not directly impact system availability, the loss of confidentiality and integrity can have severe business consequences, including regulatory penalties under GDPR if personal data is compromised.
Mitigation Recommendations
Immediate mitigation involves monitoring for an official patch from the plugin vendor and applying it promptly once available. Until a patch is released, organizations should implement manual input validation and output encoding for the PHP_SELF variable within the plugin code to neutralize malicious input. Web Application Firewalls (WAFs) can be configured to detect and block suspicious URL patterns exploiting PHP_SELF. Educating users about the risks of clicking untrusted links can reduce successful exploitation. Additionally, organizations should audit their WordPress installations to identify the presence of the Starred Review plugin and consider disabling or replacing it with a secure alternative if timely patching is not feasible. Regular security scanning and penetration testing focused on XSS vulnerabilities are recommended to detect similar issues proactively.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-12-05T15:28:21.217Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 695e4c137349d0379d7d57a9
Added to database: 1/7/2026, 12:05:39 PM
Last enriched: 1/14/2026, 3:51:39 PM
Last updated: 2/7/2026, 4:15:20 AM
Views: 22
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.