CVE-2025-13626

Vulnerability

Details

The myLCO plugin for WordPress, in all versions up to and including 0.8.1, suffers from a reflected cross-site scripting (XSS) vulnerability. The issue arises from insufficient input sanitization and output escaping of the $_SERVER['PHP_SELF'] parameter. This server variable, which reflects the current script path, can be manipulated by an attacker to include malicious JavaScript payloads. The plugin fails to properly neutralize the input before rendering it in a response, allowing arbitrary script injection [1].

Exploitation

An unauthenticated attacker can exploit this vulnerability by crafting a malicious URL that includes a JavaScript payload in the path portion of the request. The attacker then tricks a victim into clicking the link, for example via phishing or social engineering. No authentication is required, and the attack does not require any special network position beyond the ability to deliver the link to the user. The injected script executes in the context of the victim's browser session on the WordPress site.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, defacement of the site, redirection to malicious sites, or theft of sensitive information such as cookies and login credentials. The impact is limited by the reflected nature of the XSS, as the script only executes when the victim clicks the crafted link.

Mitigation

The myLCO plugin has been closed on the WordPress plugin repository as of December 4, 2025, due to this security issue [1]. Users are advised to remove the plugin from their WordPress installations immediately. No patched version is available, and the plugin is no longer supported. As a general best practice, site administrators should ensure all plugins are kept up to date and monitor for similar vulnerabilities.