{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14132", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-05T17:06:11.819Z", "datePublished": "2025-12-12T03:20:55.078Z", "dateUpdated": "2026-04-08T17:18:18.024Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:18:18.024Z"}, "affected": [{"vendor": "pandikamal03", "product": "Category Dropdown List", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Category Dropdown List plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "title": "Category Dropdown List <= 1.0 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/baac847b-3c5e-44c4-bccf-fcbde1adf37f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/dropdown-category-list/trunk/settings.php#L11"}, {"url": "https://plugins.trac.wordpress.org/browser/dropdown-category-list/tags/1.0/settings.php#L11"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Abdulsamad Yusuf"}], "timeline": [{"time": "2025-12-11T14:32:30.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-18T20:37:28.762229Z", "id": "CVE-2025-14132", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-18T20:37:37.875Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14132", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-18T20:37:28.762229Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-18T20:37:34.480Z"}}], "cna": {"title": "Category Dropdown List <= 1.0 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']", "credits": [{"lang": "en", "type": "finder", "value": "Abdulsamad Yusuf"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "pandikamal03", "product": "Category Dropdown List", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-11T14:32:30.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/baac847b-3c5e-44c4-bccf-fcbde1adf37f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/dropdown-category-list/trunk/settings.php#L11"}, {"url": "https://plugins.trac.wordpress.org/browser/dropdown-category-list/tags/1.0/settings.php#L11"}], "descriptions": [{"lang": "en", "value": "The Category Dropdown List plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:18:18.024Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14132", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:18:18.024Z", "dateReserved": "2025-12-05T17:06:11.819Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-12T03:20:55.078Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Category Dropdown List plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "id": "CVE-2025-14132", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-12T04:15:47.720", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/dropdown-category-list/tags/1.0/settings.php#L11"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/dropdown-category-list/trunk/settings.php#L11"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/baac847b-3c5e-44c4-bccf-fcbde1adf37f?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T00:54:37.130149+00:00", "value": {"mitigation_remediation": ["Update the Category Dropdown List plugin to a version newer than 1.0 once it becomes available. ", "If no update is available, deactivate or uninstall the plugin to eliminate the vulnerable code. ", "Manually modify the plugin\u2019s settings.php file to escape the $_SERVER['PHP_SELF'] variable before output (e.g., using esc_url or esc_html) and validate the input to prevent user\u2011supplied data from being reflected. ", "Implement strong content\u2011security\u2011policy (CSP) headers and other XSS mitigations to reduce risk if the plugin remains in use."], "summary": {"action": "Update Plugin", "impact": "Reflected Cross\u2011Site Scripting (XSS)"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Category Dropdown List plugin for WordPress supplied by the contributor pandikamal03. All releases up to and including version 1.0 are vulnerable. Users running the plugin on their WordPress sites with these versions are exposed to the risk.", "description_and_impact": "Category Dropdown List is a WordPress plugin that can reflect arbitrary user\u2011supplied input via the $_SERVER['PHP_SELF'] variable. The plugin does not sanitize or escape the value before output, allowing unauthenticated attackers to inject malicious JavaScript into the web page. If a user follows a crafted link, the injected script can run in the victim's browser, potentially stealing session cookies, defacing the site, or performing further malicious actions.", "risk_and_exploitability": "The CVSS score of 6.1 indicates moderate severity. The EPSS score is less than 1%, suggesting a low current exploitation probability. The vulnerability is not listed in CISA\u2019s KEV catalog, and exploitation requires only that an unauthenticated user be tricked into clicking a malicious URL; no authentication or administrative privileges are needed. The risk to the host and its visitors is therefore moderate, but with a low likelihood of real\u2011world exploitation at present."}}}}, "created": "2025-12-12T08:48:28.768853+00:00", "updated": "2026-04-21T01:00:12.972255+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}