CVE-2025-14118
Reflected XSS in WordPress Starred Review Plugin
Publication date: 2026-01-07
Last updated on: 2026-01-07
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| starred_review | starred_review | to 1.4.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Reflected Cross-Site Scripting (XSS) issue in the Starred Review plugin for WordPress, affecting all versions up to 1.4.2. It occurs because the plugin does not properly sanitize or escape the PHP_SELF variable, allowing unauthenticated attackers to inject malicious scripts into web pages. These scripts execute when a user is tricked into performing an action like clicking a crafted link.
How can this vulnerability impact me? :
The vulnerability can allow attackers to execute arbitrary scripts in the context of the affected website, potentially leading to theft of user data, session hijacking, or other malicious actions. Since it requires user interaction, attackers may trick users into clicking malicious links that trigger the script execution, compromising user security and trust.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking if your WordPress installation uses the Starred Review plugin version 1.4.2 or earlier. On the system, you can look for the presence of the plugin files, especially 'starred-review.php'. Additionally, monitoring HTTP requests for suspicious URLs that include injected scripts in the PHP_SELF variable may help detect exploitation attempts. For example, you can use commands like 'grep -r "starred-review" wp-content/plugins/' to find the plugin, and use web server logs analysis tools or commands such as 'grep -i "<script" /var/log/apache2/access.log' to detect potential reflected XSS payloads in requests. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling or uninstalling the Starred Review plugin if it is installed and running version 1.4.2 or earlier. If disabling is not possible, restrict access to the plugin's administrative pages and ensure users do not click on suspicious links that could exploit the reflected XSS vulnerability. Additionally, consider applying web application firewall (WAF) rules to block malicious input targeting the PHP_SELF variable. Ultimately, update the plugin to a secure version once available or replace it with a maintained alternative. [1]