CVE-2025-14131
Reflected XSS in WP Widget Changer Plugin
Publication date: 2026-01-07
Last updated on: 2026-01-07
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| damienoh | wp_widget_changer | to 1.2.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Reflected Cross-Site Scripting (XSS) issue in the WP Widget Changer plugin for WordPress, affecting all versions up to and including 1.2.5. It occurs because the plugin does not properly sanitize or escape the $_SERVER['PHP_SELF'] variable, allowing unauthenticated attackers to inject malicious scripts into web pages. These scripts execute when a user is tricked into performing an action, such as clicking a crafted link.
How can this vulnerability impact me? :
The vulnerability can allow attackers to execute arbitrary scripts in the context of the affected website, potentially leading to theft of user credentials, session hijacking, or other malicious actions. Since it requires user interaction (like clicking a link), it can be used to trick users into compromising their security or privacy.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the WP Widget Changer plugin vulnerability impacts compliance with standards such as GDPR or HIPAA. There is no direct mention of data privacy, personal data exposure, or regulatory compliance implications related to this reflected cross-site scripting vulnerability in the available resources.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if the WP Widget Changer plugin version 1.2.5 or earlier is installed and active on your WordPress site. Since the vulnerability is a reflected Cross-Site Scripting (XSS) via the $_SERVER['PHP_SELF'] variable, you can test for it by crafting a URL that injects a script payload into the PHP_SELF variable and observing if the script executes or is reflected unsanitized in the page output. For example, you can use curl or a browser to request a URL like: https://yourwordpresssite.com/wp-content/plugins/wp-widget-changer/widget_changer.php/<script>alert(1)</script> and check if the script is reflected in the response. Additionally, scanning your WordPress plugins for the presence and version of WP Widget Changer can be done via WP-CLI commands such as `wp plugin list` to identify installed plugins and their versions. However, no specific detection commands are provided in the resources. [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling or uninstalling the WP Widget Changer plugin if it is installed, especially versions up to and including 1.2.5. Since the plugin has been temporarily closed and removed from download availability pending a security review, it is recommended to remove it from your WordPress installation to prevent exploitation. Additionally, ensure that your WordPress installation and all other plugins are updated to their latest versions. Applying web application firewall (WAF) rules to block reflected XSS attempts targeting the plugin's endpoints can also help reduce risk until a patched version is available. [2]