CVE-2025-14118 is a reflected Cross-Site Scripting (XSS) vulnerability identified in the Starred Review plugin for WordPress, affecting all versions up to and including 1.4.2. The root cause is insufficient input sanitization and output escaping of the PHP_SELF variable, which is commonly used to reference the current script's filename. Because the plugin fails to properly neutralize this input, an attacker can craft a malicious URL containing executable JavaScript code embedded in the PHP_SELF parameter. When a victim clicks this link, the injected script executes in their browser context, potentially allowing the attacker to steal session cookies, perform actions on behalf of the user, or redirect them to malicious sites. This vulnerability is exploitable remotely without authentication but requires user interaction (clicking a malicious link). The vulnerability affects the confidentiality and integrity of user data but does not impact system availability. The CVSS v3.1 base score is 6.1, reflecting a medium severity with network attack vector, low attack complexity, no privileges required, user interaction required, and scope changed. No patches or official fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation leading to XSS.

The primary impact of this vulnerability is on the confidentiality and integrity of user sessions and data. Successful exploitation can lead to session hijacking, theft of sensitive information such as cookies or credentials, and unauthorized actions performed on behalf of the victim user. This can facilitate further attacks like phishing, privilege escalation, or spreading malware. Since the vulnerability is reflected XSS, it requires user interaction, limiting mass exploitation but still posing a significant risk especially to websites with high user traffic or administrative users. Organizations running WordPress sites with the Starred Review plugin are at risk of reputational damage, data breaches, and potential regulatory non-compliance if user data is compromised. The absence of known exploits reduces immediate risk but does not eliminate the threat, as attackers may develop exploits in the future. The scope includes all websites using the vulnerable plugin versions, which could be numerous given WordPress’s widespread adoption.

To mitigate this vulnerability, organizations should immediately update the Starred Review plugin to a version that addresses the issue once available. In the absence of an official patch, administrators can implement web application firewall (WAF) rules to detect and block malicious payloads targeting the PHP_SELF parameter. Input validation and output encoding should be enforced at the application level to neutralize potentially harmful characters in URLs. Site owners should educate users about the risks of clicking suspicious links and consider implementing Content Security Policy (CSP) headers to restrict script execution sources. Regular security audits and vulnerability scanning of WordPress plugins can help identify similar issues proactively. Additionally, disabling or removing unused plugins reduces the attack surface. Monitoring web server logs for unusual requests targeting PHP_SELF can provide early detection of exploitation attempts.