CVE-2025-14129 is a reflected cross-site scripting vulnerability identified in the Like DisLike Voting plugin for WordPress, developed by wasiul99. This vulnerability affects all versions up to and including 1.0.1. The root cause is insufficient input sanitization and output escaping of the $_SERVER['PHP_SELF'] variable, which is used during web page generation. Because this variable reflects the current script's filename, an attacker can craft a malicious URL containing script code embedded in the URL path. When a user visits this URL, the injected script executes in the context of the vulnerable website, potentially stealing cookies, session tokens, or performing actions on behalf of the user. The attack does not require authentication but does require user interaction, such as clicking a malicious link. The vulnerability has a CVSS 3.1 base score of 6.1, indicating medium severity, with attack vector network, low attack complexity, no privileges required, user interaction required, and scope changed. No patches or official fixes have been published yet, and no exploits have been observed in the wild. This vulnerability falls under CWE-79, which covers improper neutralization of input during web page generation leading to cross-site scripting.

The primary impact of this vulnerability is on the confidentiality and integrity of users interacting with affected WordPress sites. Attackers can execute arbitrary JavaScript in the victim's browser, potentially leading to session hijacking, theft of sensitive information, unauthorized actions on behalf of users, or redirection to malicious sites. While availability is not directly impacted, successful exploitation can damage the reputation of affected organizations and erode user trust. Since the vulnerability is exploitable without authentication and remotely via crafted URLs, it poses a significant risk to any website using the vulnerable plugin. Organizations with high traffic or sensitive user data are particularly at risk. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as public disclosure may prompt attackers to develop exploits.

Organizations should immediately audit their WordPress installations to identify if the Like DisLike Voting plugin by wasiul99 is installed and which version is in use. If the plugin is present and unpatched, it is advisable to disable or uninstall it until a vendor patch is released. As no official patches are currently available, manual mitigation involves sanitizing and escaping the $_SERVER['PHP_SELF'] variable before output, using WordPress's built-in functions such as esc_url() or esc_html() to neutralize malicious input. Web application firewalls (WAFs) can be configured to detect and block suspicious URL patterns that attempt to exploit this vulnerability. Additionally, educating users to avoid clicking suspicious links can reduce risk. Monitoring web logs for unusual requests containing script tags or suspicious payloads can help detect attempted exploitation. Finally, organizations should subscribe to vendor and security mailing lists to apply patches promptly once available.