CVE-2025-14125 is a reflected Cross-Site Scripting (XSS) vulnerability identified in the Complag plugin for WordPress, affecting all versions up to and including 1.0.2. The root cause is insufficient sanitization and escaping of the $_SERVER['PHP_SELF'] variable during web page generation, which allows attackers to inject arbitrary JavaScript code into pages. This vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. Since the attack vector is reflected XSS, exploitation requires an attacker to craft a malicious URL containing the payload and trick a user into clicking it. Upon visiting the crafted URL, the injected script executes in the context of the victim's browser, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the user. The vulnerability does not require authentication (PR:N) but does require user interaction (UI:R). The CVSS 3.1 base score is 6.1, reflecting medium severity, with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), no privileges required, user interaction required, scope changed (S:C), and low impact on confidentiality and integrity but no impact on availability. No public exploits or patches are currently available, but the vulnerability is publicly disclosed as of December 12, 2025. The vulnerability affects websites using the Complag plugin, which is a WordPress plugin, thus impacting WordPress-based sites that have this plugin installed and active. The scope of impact includes potential data leakage and manipulation of user sessions or content due to script injection.

For European organizations, this vulnerability poses a risk primarily to websites using the Complag WordPress plugin. The reflected XSS can lead to theft of user credentials, session cookies, or other sensitive information, undermining confidentiality and integrity of user data. This can result in unauthorized access to user accounts, defacement of websites, or distribution of malware through the compromised site. Organizations handling sensitive customer data or providing critical services via WordPress sites are particularly vulnerable. The attack requires user interaction, so phishing or social engineering campaigns could amplify impact. While availability is not directly affected, reputational damage and regulatory consequences under GDPR due to data breaches could be significant. The medium severity score indicates a moderate risk, but the widespread use of WordPress in Europe and the potential for targeted attacks against high-value sites increase the threat level. Lack of a patch means organizations must rely on interim mitigations, increasing exposure time.

1. Monitor the Complag plugin vendor for official security patches and apply updates immediately once available. 2. Until a patch is released, implement manual input validation and output encoding for the $_SERVER['PHP_SELF'] variable within the plugin code or via web application firewall (WAF) rules to block malicious payloads. 3. Deploy a robust WAF with rules specifically targeting reflected XSS patterns, including sanitization of URL parameters and headers. 4. Educate users and staff to recognize phishing attempts that may deliver malicious URLs exploiting this vulnerability. 5. Conduct regular security assessments and penetration testing on WordPress sites using Complag to detect potential exploitation. 6. Consider disabling or replacing the Complag plugin if it is not critical to operations until a secure version is available. 7. Implement Content Security Policy (CSP) headers to restrict execution of unauthorized scripts in browsers. 8. Log and monitor web server access logs for suspicious URL patterns that may indicate exploitation attempts.