{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14128", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-05T17:00:28.923Z", "datePublished": "2026-01-07T09:20:52.914Z", "dateUpdated": "2026-04-08T16:37:57.105Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:37:57.105Z"}, "affected": [{"vendor": "mitchoyoshitaka", "product": "Stumble! for WordPress", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Stumble! for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "title": "Stumble! for WordPress <= 1.1.1 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/19e1421d-8cb4-44b6-a982-769539b19582?source=cve"}, {"url": "https://wordpress.org/plugins/stumble-for-wordpress/"}, {"url": "https://plugins.trac.wordpress.org/browser/stumble-for-wordpress/trunk/stumble.php#L143"}, {"url": "https://plugins.trac.wordpress.org/browser/stumble-for-wordpress/tags/1.1.1/stumble.php#L143"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Abdulsamad Yusuf"}], "timeline": [{"time": "2026-01-06T20:32:07.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-07T15:50:08.303996Z", "id": "CVE-2025-14128", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-07T15:50:16.434Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14128", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-07T15:50:08.303996Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-07T15:50:11.566Z"}}], "cna": {"title": "Stumble! for WordPress <= 1.1.1 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']", "credits": [{"lang": "en", "type": "finder", "value": "Abdulsamad Yusuf"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "mitchoyoshitaka", "product": "Stumble! for WordPress", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.1.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-06T20:32:07.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/19e1421d-8cb4-44b6-a982-769539b19582?source=cve"}, {"url": "https://wordpress.org/plugins/stumble-for-wordpress/"}, {"url": "https://plugins.trac.wordpress.org/browser/stumble-for-wordpress/trunk/stumble.php#L143"}, {"url": "https://plugins.trac.wordpress.org/browser/stumble-for-wordpress/tags/1.1.1/stumble.php#L143"}], "descriptions": [{"lang": "en", "value": "The Stumble! for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-01-07T09:20:52.914Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14128", "state": "PUBLISHED", "dateUpdated": "2026-01-07T15:50:16.434Z", "dateReserved": "2025-12-05T17:00:28.923Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-07T09:20:52.914Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Stumble! for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}, {"lang": "es", "value": "El plugin Stumble! for WordPress para WordPress es vulnerable a Cross-Site Scripting Reflejado a trav\u00e9s de la variable '$_SERVER['PHP_SELF']' en todas las versiones hasta la versi\u00f3n, e incluyendo, 1.1.1 debido a una sanitizaci\u00f3n de entrada y escape de salida insuficientes. Esto hace posible que atacantes no autenticados inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutan si pueden enga\u00f1ar con \u00e9xito a un usuario para que realice una acci\u00f3n como hacer clic en un enlace."}], "id": "CVE-2025-14128", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-07T12:16:53.507", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/stumble-for-wordpress/tags/1.1.1/stumble.php#L143"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/stumble-for-wordpress/trunk/stumble.php#L143"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/stumble-for-wordpress/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/19e1421d-8cb4-44b6-a982-769539b19582?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T20:15:16.708127+00:00", "value": {"mitigation_remediation": ["Update the Stumble! for WordPress plugin to the latest version that removes the vulnerable use of $_SERVER['PHP_SELF'] or uninstall the plugin entirely if it is no longer needed.", "If an upgrade is not immediately possible, remove the plugin\u2019s code that references $_SERVER['PHP_SELF'] and replace it with a properly sanitized function such as esc_html( $_SERVER['PHP_SELF'] ).", "Implement a Content\u2011Security\u2011Policy header on the site to restrict the execution of inline scripts and mitigate the impact of any remaining cross\u2011site scripting attempts."], "summary": {"action": "Immediate Patch", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The affected product is the \"Stumble! for WordPress\" plugin, distributed by mitchoyoshitaka. All releases up to and including version\u202f1.1.1 are impacted. Any WordPress installation that has this plugin active and serves pages that echo $_SERVER['PHP_SELF'] in the response will be vulnerable.", "description_and_impact": "The Stumble! for WordPress plugin is vulnerable to a reflected cross\u2011site scripting flaw caused by the use of the raw $_SERVER['PHP_SELF'] variable without proper sanitization or output escaping. An unauthenticated attacker can embed malicious JavaScript in the page when a user follows a crafted URL or link that includes the attacker\u2019s code. This can lead to cookie theft, session hijacking, defacement, or malicious redirection, thereby compromising the confidentiality, integrity, and availability of the site for any visiting user. The vulnerability is a typical example of a client\u2011side injection weakness (CWE\u201179).", "risk_and_exploitability": "The CVSS score is 6.1, indicating a moderate severity. The EPSS score of less than 1% suggests that current exploitation activity is low, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is via a crafted link or URL that forces the vulnerable plugin to output the unsanitized string to the user\u2019s browser. The attack requires no authentication; an attacker only needs to entice a victim to click the malicious link, which can be delivered through email, social media, or compromised sites."}}}}, "created": "2026-01-08T09:49:47.931177+00:00", "updated": "2026-04-22T20:15:20.539979+00:00", "vendors": ["mitchoyoshitaka", "mitchoyoshitaka$PRODUCT$stumble!_for_wordpress", "wordpress", "wordpress$PRODUCT$wordpress"]}