CVE-2025-14132 identifies a reflected Cross-Site Scripting (XSS) vulnerability in the Category Dropdown List plugin for WordPress, maintained by pandikamal03. The vulnerability exists in all versions up to and including 1.0 due to improper neutralization of input during web page generation, specifically involving the $_SERVER['PHP_SELF'] variable. This variable is used in the plugin without adequate sanitization or output escaping, allowing an attacker to craft malicious URLs that inject arbitrary JavaScript code into the rendered page. When a victim clicks such a link, the injected script executes in their browser context, potentially leading to session hijacking, defacement, or redirection to malicious sites. The vulnerability is exploitable remotely without authentication but requires user interaction (clicking a malicious link). The CVSS v3.1 base score is 6.1, indicating a medium severity level, with attack vector network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:R), scope changed (S:C), and low impact on confidentiality and integrity (C:L/I:L) but no impact on availability (A:N). No patches or known exploits are currently reported, but the vulnerability poses a tangible risk to WordPress sites using this plugin. The issue is classified under CWE-79, which covers improper neutralization of input leading to XSS. The vulnerability was published on December 12, 2025, and assigned by Wordfence.

The primary impact of CVE-2025-14132 is the compromise of user confidentiality and integrity on affected WordPress sites. Successful exploitation can allow attackers to execute arbitrary scripts in the context of the victim’s browser, enabling theft of session cookies, credentials, or other sensitive information. Attackers can also perform actions on behalf of the user, such as changing account settings or conducting phishing attacks. Although availability is not directly affected, the reputational damage and potential data breaches can be significant. Organizations running websites with the vulnerable plugin risk user trust erosion and possible regulatory consequences if user data is compromised. The vulnerability’s ease of exploitation without authentication but requiring user interaction increases its threat level, especially for sites with high traffic or users prone to clicking untrusted links. The absence of known exploits in the wild currently limits immediate risk but does not preclude future attacks. Overall, the threat can lead to targeted or broad attacks against WordPress sites, impacting businesses, e-commerce platforms, and content providers globally.

To mitigate CVE-2025-14132, organizations should first check for updates or patches from the plugin developer and apply them promptly once available. In the absence of official patches, site administrators can implement manual mitigations such as sanitizing and encoding the $_SERVER['PHP_SELF'] variable before outputting it in the page, using WordPress’s built-in functions like esc_url() or esc_html() to prevent script injection. Employing a Web Application Firewall (WAF) with rules to detect and block reflected XSS payloads targeting the vulnerable parameter can reduce risk. Additionally, security teams should educate users about the dangers of clicking suspicious links and implement Content Security Policy (CSP) headers to restrict script execution sources. Regular security audits and vulnerability scanning of WordPress plugins can help identify and remediate similar issues proactively. Finally, consider disabling or replacing the vulnerable plugin with a more secure alternative if patching is not feasible.