Overview
A reflected Cross-Site Scripting (XSS) vulnerability has been identified in the WP-SOS-Donate Donation Sidebar Plugin for WordPress, tracked as CVE-2025-13625. This vulnerability affects all versions up to and including 0.9.2. Due to insufficient input sanitization and output escaping of the $_SERVER['PHP_SELF'] parameter, unauthenticated attackers can inject arbitrary web scripts into pages. This script executes if a user is tricked into performing an action, such as clicking a malicious link.
Technical Details
The vulnerability resides within the wp-sos-donate_options.php file of the WP-SOS-Donate plugin. The $_SERVER['PHP_SELF'] variable, which contains the filename of the currently executing script, is not properly sanitized before being displayed in the output. This allows an attacker to inject malicious JavaScript code into the URL. When a user visits the manipulated URL, the unsanitized script is executed in their browser, potentially allowing the attacker to steal cookies, redirect the user to a malicious website, or perform other actions on behalf of the user.
Affected code snippet (example from version 0.9.2, line 45 in wp-sos-donate_options.php):
<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
CVSS Analysis
The vulnerability has been assigned a CVSS score of 6.1 (Medium).
This score reflects the following characteristics:
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): None (N)
- User Interaction (UI): Required (R)
- Scope (S): Changed (C)
- Confidentiality Impact (CI): Low (L)
- Integrity Impact (II): Low (L)
- Availability Impact (AI): None (N)
The “User Interaction Required” component is crucial, as the attacker needs to trick a user into clicking a specially crafted link for the exploit to be successful.
Possible Impact
Successful exploitation of this vulnerability can lead to:
- Account Takeover: An attacker could potentially steal user cookies and session data, allowing them to impersonate the user and gain access to their account.
- Redirection to Malicious Websites: Users could be redirected to phishing websites or websites that distribute malware.
- Defacement: An attacker could modify the content of the affected page.
Mitigation/Patch Steps
The best mitigation is to update the WP-SOS-Donate plugin to the latest version. Check the WordPress plugin repository for available updates. If an update is not available, consider temporarily disabling the plugin until a patched version is released or switching to an alternative donation plugin.
As a general security practice, always keep all WordPress plugins and themes updated to their latest versions.
