CVE-2025-14128 identifies a reflected Cross-Site Scripting (XSS) vulnerability in the Stumble! for WordPress plugin developed by mitchoyoshitaka. This vulnerability exists in all versions up to and including 1.1.1 due to insufficient input sanitization and output escaping of the $_SERVER['PHP_SELF'] variable. When a user visits a crafted URL containing malicious script code embedded in the PHP_SELF server variable, the plugin reflects this input directly into the web page without proper neutralization. This allows an unauthenticated attacker to inject arbitrary JavaScript code that executes in the context of the victim’s browser session. The attack vector is remote and requires no privileges, but it depends on social engineering to convince users to click a malicious link. The vulnerability impacts confidentiality and integrity by potentially allowing theft of session cookies, user credentials, or execution of unauthorized actions on behalf of the user. The CVSS 3.1 base score of 6.1 reflects a medium severity, with attack vector network, low attack complexity, no privileges required, but user interaction necessary. The scope is changed (S:C) because the vulnerability affects user data and session integrity. No patches or official fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability is categorized under CWE-79, which covers improper neutralization of input during web page generation leading to XSS.

The primary impact of this vulnerability is on the confidentiality and integrity of users interacting with affected WordPress sites. Attackers can exploit the reflected XSS to steal session cookies, enabling account hijacking, or perform actions on behalf of the user, such as changing settings or injecting further malicious content. This can lead to phishing attacks, unauthorized access, and reputational damage for affected organizations. Although availability is not impacted, the trustworthiness of the website is compromised. Organizations with high user interaction or sensitive data processed via WordPress sites using this plugin are at increased risk. The vulnerability can also serve as a stepping stone for more complex attacks if combined with other vulnerabilities or social engineering campaigns. Since exploitation requires user interaction, the risk is somewhat mitigated but remains significant for public-facing websites.

Organizations should immediately assess their WordPress installations for the presence of the Stumble! plugin and its version. If the plugin is installed, upgrading to a patched version once available is the most effective mitigation. In the absence of an official patch, administrators can implement web application firewall (WAF) rules to detect and block suspicious requests containing malicious payloads in the PHP_SELF variable. Input validation and output encoding should be enforced at the application level to neutralize potentially malicious input. Additionally, educating users to avoid clicking on suspicious links can reduce exploitation likelihood. Site owners should also consider disabling or removing the plugin if it is not essential. Monitoring web logs for unusual URL patterns and implementing Content Security Policy (CSP) headers can further reduce the risk of script injection and execution. Regular security audits and vulnerability scanning should be conducted to detect similar issues proactively.