Description
The CSV Sumotto plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Published: 2025-12-06
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting
Action: Apply patch
AI Analysis

Impact

The CSV Sumotto plugin for WordPress incorporates the PHP superglobal $_SERVER['PHP_SELF'] directly into page output without sanitization or escaping. This omission allows an unauthenticated attacker to inject arbitrary JavaScript that will run in the browsers of any user who follows a crafted link. The injected code can steal session cookies, deface content, or redirect victims to malicious sites, thereby compromising the confidentiality, integrity, and availability of the user experience.

Affected Systems

WordPress sites that have the CSV Sumotto plugin installed, specifically all versions up to and including 1.0. The vulnerability exists in the settings page and any other page where the plugin echoes PHP_SELF.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity. The EPSS score of less than 1% reflects a very low probability of exploitation in the wild, and the vulnerability is not listed in CISA KEV. Nevertheless, an attacker can exploit it via a single click if they can convince a user to visit a maliciously crafted URL. With no authentication requirement, the scope is limited to the target site but any user that visits the vulnerable page can be affected.

Generated by OpenCVE AI on April 20, 2026 at 21:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update CSV Sumotto to version 1.1 or later, where PHP_SELF is properly sanitized.
  • If an upgrade is not immediately possible, edit the plugin code to apply htmlspecialchars or a similar function to $_SERVER['PHP_SELF'] before echoing it.
  • If the affected functionality is not required, disable or remove the page that uses the unsafe variable, or replace it with a safe alternative.

Generated by OpenCVE AI on April 20, 2026 at 21:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Dec 2025 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Mon, 08 Dec 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 06 Dec 2025 06:00:00 +0000

Type Values Removed Values Added
Description The CSV Sumotto plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Title CSV Sumotto <= 1.0 - Reflected Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:30:14.154Z

Reserved: 2025-12-02T15:39:12.992Z

Link: CVE-2025-13894

cve-icon Vulnrichment

Updated: 2025-12-08T21:29:18.327Z

cve-icon NVD

Status : Deferred

Published: 2025-12-06T06:15:52.987

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13894

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T21:45:18Z

Weaknesses