CVE-2025-14138 is a reflected Cross-Site Scripting vulnerability identified in the WPLG Default Mail From plugin for WordPress, a plugin designed to manage the default 'From' email address in outgoing emails. The vulnerability stems from insufficient input sanitization and output escaping of the $_SERVER['PHP_SELF'] variable, which is commonly used to retrieve the current script's filename. Because the plugin fails to properly neutralize this input, an attacker can craft a malicious URL containing executable JavaScript code embedded within the PHP_SELF value. When a victim clicks on such a link, the malicious script is reflected in the web page response and executed in the victim's browser context. This reflected XSS does not require the attacker to be authenticated but does require user interaction (clicking the link). The vulnerability affects all versions up to and including 1.0.0 of the plugin. The CVSS 3.1 base score of 6.1 reflects a medium severity, with network attack vector, low attack complexity, no privileges required, user interaction required, and impacts on confidentiality and integrity but not availability. The scope is changed due to the potential for the vulnerability to affect other components via script execution. No public exploits are currently known, but the vulnerability could be leveraged for session hijacking, phishing, or delivering malicious payloads. The lack of patches at the time of publication necessitates immediate mitigation steps by administrators.

For European organizations, this vulnerability poses a moderate risk primarily to the confidentiality and integrity of user sessions and data. Exploitation could enable attackers to steal authentication cookies, perform actions on behalf of users, or redirect users to malicious sites, potentially leading to data breaches or reputational damage. Organizations with public-facing WordPress sites using the WPLG Default Mail From plugin are particularly vulnerable, especially those handling sensitive customer or employee data. The reflected XSS could also be used as a vector for delivering further malware or conducting social engineering attacks. While availability is not directly impacted, the indirect consequences of successful exploitation could disrupt business operations and erode user trust. Given the widespread use of WordPress in Europe, the threat could affect a broad range of sectors including e-commerce, government, education, and media.

1. Monitor for and apply official patches or updates from the wpletsgo vendor as soon as they become available. 2. In the interim, disable or remove the WPLG Default Mail From plugin if it is not critical to operations. 3. Implement Web Application Firewalls (WAFs) with robust XSS detection and blocking capabilities to filter malicious payloads targeting the PHP_SELF variable. 4. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 5. Review and sanitize all user-controllable inputs in custom WordPress themes or plugins to prevent injection. 6. Educate users about the risks of clicking suspicious links, especially those received via email or social media. 7. Conduct regular security audits and penetration testing focused on XSS vulnerabilities. 8. Monitor web server logs for unusual requests containing suspicious payloads targeting PHP_SELF or related parameters.