CVE-2025-14125 is a reflected Cross-Site Scripting (XSS) vulnerability identified in the Complag plugin for WordPress, developed by andru1. The vulnerability exists in all versions up to and including 1.0.2 due to improper neutralization of input during web page generation, specifically involving the $_SERVER['PHP_SELF'] variable. This variable is used in generating web pages without adequate sanitization or escaping, allowing an attacker to inject arbitrary JavaScript code. Because the vulnerability is reflected, the malicious payload is embedded in a crafted URL that, when clicked by a user, causes the injected script to execute in the context of the vulnerable website. The attack does not require authentication, increasing its risk profile, but does require user interaction (clicking the malicious link). The CVSS v3.1 base score is 6.1, indicating medium severity, with attack vector as network, low attack complexity, no privileges required, user interaction required, and a scope change. The impact primarily affects confidentiality and integrity, as attackers can steal sensitive information, hijack user sessions, or perform actions on behalf of the victim. No patches or known exploits are currently reported, but the vulnerability is publicly disclosed and should be addressed promptly. The plugin's widespread use on WordPress sites makes this a relevant threat to many web administrators.

The primary impact of CVE-2025-14125 is the compromise of user confidentiality and integrity on websites using the vulnerable Complag plugin. Attackers can execute arbitrary scripts in the context of the victim's browser, potentially stealing cookies, session tokens, or other sensitive information. This can lead to account hijacking, unauthorized actions, or further exploitation such as phishing or malware delivery. Although availability is not directly affected, the loss of trust and potential data breaches can have significant reputational and financial consequences for organizations. Since the vulnerability requires no authentication and can be triggered via a crafted URL, it poses a risk to all visitors of affected sites. The scope of affected systems is broad due to the plugin's presence on WordPress sites globally. Organizations relying on Complag for content management or user interaction should consider this a moderate risk that could escalate if combined with other vulnerabilities or social engineering tactics.

1. Immediate mitigation involves updating the Complag plugin to a fixed version once released by the vendor. In the absence of a patch, site administrators should disable the plugin temporarily to prevent exploitation. 2. Implement robust input validation and output encoding for all user-controllable inputs, especially those involving server variables like $_SERVER['PHP_SELF']. Use WordPress security functions such as esc_url(), esc_html(), or esc_attr() to sanitize output. 3. Employ Web Application Firewalls (WAFs) with rules designed to detect and block reflected XSS payloads targeting the affected plugin. 4. Educate users and administrators about the risks of clicking suspicious links, especially those that appear to come from untrusted sources. 5. Conduct regular security audits and penetration testing focusing on plugin vulnerabilities and input handling. 6. Monitor web server logs for unusual URL patterns that may indicate attempted exploitation. 7. Consider implementing Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on the website. 8. Backup website data regularly to enable quick recovery in case of compromise.