CVE-2025-14128
Reflected XSS in Stumble! WordPress Plugin Allows Script Injection
Publication date: 2026-01-07
Last updated on: 2026-01-07
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| unknown_vendor | stumble_for_wordpress | to 1.1.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Reflected Cross-Site Scripting (XSS) issue in the Stumble! for WordPress plugin, affecting all versions up to 1.1.1. It occurs because the plugin does not properly sanitize or escape the $_SERVER['PHP_SELF'] variable, allowing unauthenticated attackers to inject malicious scripts into web pages. These scripts execute when a user is tricked into performing an action like clicking a crafted link.
How can this vulnerability impact me? :
The vulnerability can allow attackers to execute arbitrary scripts in the context of the affected website, potentially leading to theft of user data, session hijacking, or other malicious actions. Since it requires user interaction (clicking a link), it can be used to trick users into compromising their security or privacy.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a Reflected Cross-Site Scripting (XSS) issue via the $_SERVER['PHP_SELF'] variable in the Stumble! for WordPress plugin up to version 1.1.1. Detection can involve monitoring web requests for suspicious URL parameters or payloads that include script tags or JavaScript code injected via the PHP_SELF variable. You can use web server logs or a web application firewall (WAF) to detect such attempts. For example, using command-line tools like grep to search for suspicious patterns in access logs: grep -iE "<script|javascript:" /path/to/access.log. Additionally, tools like curl or wget can be used to test URLs with crafted payloads to see if the script is reflected in the response. However, no specific detection commands or signatures are provided in the resources. [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling or removing the Stumble! for WordPress plugin version 1.1.1 or earlier from your WordPress installation, as the plugin has been temporarily closed and removed from download availability pending a full review. Additionally, restrict user input and ensure proper input sanitization and output escaping if you maintain the plugin code. Applying a web application firewall (WAF) rule to block or sanitize requests exploiting the PHP_SELF variable can also help mitigate attacks. Since no patch or update is currently available, removing or disabling the plugin is the most effective immediate action. [2, 3]