CVE-2025-13676
Unknown Unknown - Not Provided
Reflected XSS in JustClick WordPress Plugin via PHP_SELF

Publication date: 2026-01-24

Last updated on: 2026-01-24

Assigner: Wordfence

Description
The JustClick registration plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping on the `PHP_SELF` server variable. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-24
Last Modified
2026-01-24
Generated
2026-06-16
AI Q&A
2026-01-24
EPSS Evaluated
2026-06-15
NVD
CVE-2025-13676
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
justclick justclick to 0.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-13676 is a Reflected Cross-Site Scripting (XSS) vulnerability in the JustClick registration plugin for WordPress, affecting all versions up to and including 0.1. The vulnerability arises because the plugin does not properly sanitize or escape the PHP_SELF server variable, allowing unauthenticated attackers to inject arbitrary web scripts. These scripts can execute if a user is tricked into clicking a crafted link, potentially compromising the user's browser session or data.

Impact Analysis

This vulnerability can allow attackers to execute malicious scripts in the context of a user's browser when they interact with a crafted link. This can lead to theft of user credentials, session hijacking, defacement of the website, or redirection to malicious sites. Since the vulnerability is exploitable without authentication, it poses a risk to any user visiting affected pages, potentially compromising user data and trust.

Detection Guidance

This vulnerability can be detected by monitoring HTTP requests to the WordPress site for suspicious URLs or parameters that exploit the PHP_SELF variable, such as reflected script tags in URLs or form submissions. On the server, you can check for the presence of the JustClick plugin version 0.1 installed in WordPress. To detect exploitation attempts, you might use web server access logs to search for suspicious query strings or POST data containing script tags. Example commands include using grep on web server logs: `grep -iE "<script|%3Cscript" /var/log/apache2/access.log` or `grep 'justclick.php' /var/log/apache2/access.log` to find requests related to the vulnerable plugin. Additionally, scanning the WordPress plugins directory for the JustClick plugin version 0.1 can be done with: `grep -r 'Version: 0.1' /path/to/wordpress/wp-content/plugins/justclick-subscriber/`. [2, 3]

Mitigation Strategies

Immediate mitigation steps include disabling or uninstalling the JustClick WordPress plugin version 0.1 until a patched version is available. If disabling is not possible, restrict access to the registration page or implement web application firewall (WAF) rules to block requests containing suspicious input in the PHP_SELF variable or reflected script tags. Additionally, ensure that the WordPress installation and all plugins are updated regularly. Administrators should also review and sanitize any custom subscription form code used in the plugin settings to minimize injection risks. [2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-13676. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart