CVE-2025-14128

The Stumble! for WordPress plugin is vulnerable to Reflected Cross-Site Scripting (XSS) due to insufficient sanitization of the $_SERVER['PHP_SELF'] variable. This vulnerability affects all versions up to and including 1.1.1. The lack of proper input validation and output escaping allows an attacker to inject arbitrary web scripts.

An unauthenticated attacker can exploit this by tricking a user into clicking a crafted link, causing the malicious script to execute in the user's browser. The attack does not require any authentication or special network position, making it easy to exploit via social engineering.

Successful exploitation leads to execution of arbitrary JavaScript in the context of the victim's browser. This can result in session hijacking, defacement, or redirection to malicious sites. The potential impact is moderate due to the need for user interaction.

The plugin has been closed as of January 5, 2026, and is no longer available for download [1]. Users are advised to remove the plugin from their WordPress installations immediately, as no patch will be provided. No workaround exists beyond disabling or deleting the plugin.