CVE-2025-13676
Reflected XSS in JustClick WordPress Plugin via PHP_SELF
Publication date: 2026-01-24
Last updated on: 2026-01-24
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| justclick | justclick | to 0.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-13676 is a Reflected Cross-Site Scripting (XSS) vulnerability in the JustClick registration plugin for WordPress, affecting all versions up to and including 0.1. The vulnerability arises because the plugin does not properly sanitize or escape the PHP_SELF server variable, allowing unauthenticated attackers to inject arbitrary web scripts. These scripts can execute if a user is tricked into clicking a crafted link, potentially compromising the user's browser session or data.
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute malicious scripts in the context of a user's browser when they interact with a crafted link. This can lead to theft of user credentials, session hijacking, defacement of the website, or redirection to malicious sites. Since the vulnerability is exploitable without authentication, it poses a risk to any user visiting affected pages, potentially compromising user data and trust.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTP requests to the WordPress site for suspicious URLs or parameters that exploit the PHP_SELF variable, such as reflected script tags in URLs or form submissions. On the server, you can check for the presence of the JustClick plugin version 0.1 installed in WordPress. To detect exploitation attempts, you might use web server access logs to search for suspicious query strings or POST data containing script tags. Example commands include using grep on web server logs: `grep -iE "<script|%3Cscript" /var/log/apache2/access.log` or `grep 'justclick.php' /var/log/apache2/access.log` to find requests related to the vulnerable plugin. Additionally, scanning the WordPress plugins directory for the JustClick plugin version 0.1 can be done with: `grep -r 'Version: 0.1' /path/to/wordpress/wp-content/plugins/justclick-subscriber/`. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling or uninstalling the JustClick WordPress plugin version 0.1 until a patched version is available. If disabling is not possible, restrict access to the registration page or implement web application firewall (WAF) rules to block requests containing suspicious input in the PHP_SELF variable or reflected script tags. Additionally, ensure that the WordPress installation and all plugins are updated regularly. Administrators should also review and sanitize any custom subscription form code used in the plugin settings to minimize injection risks. [2, 3]