Description
The WP Widget Changer plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.2.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Published: 2026-01-07
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (Reflected)
Action: Apply Patch
AI Analysis

Impact

The WP Widget Changer plugin is affected by a reflected cross‑site scripting flaw that occurs when data from the $_SERVER['PHP_SELF'] variable is used without proper sanitization or escaping. This weakness allows an attacker to embed malicious JavaScript into a page that a legitimate user is directed to. The result is that, when the victim opens the crafted link, the script runs in the context of the infected WordPress site, potentially leading to theft of user credentials, session hijacking, or defacement of the site. The vulnerability is identified as CWE‑79.

Affected Systems

WordPress sites that have the WP Widget Changer plugin installed with any version from the first release up to and including 1.2.5. The plugin was developed by Damienoh and is distributed through the WordPress plugin repository.

Risk and Exploitability

The CVSS base score of 6.1 indicates a moderate severity vulnerability. The EPSS score of less than 1 % suggests that exploitation is currently unlikely, but the problem is still exploitable by an unauthenticated actor who can convince a user to click a malicious link. Because the flaw relies on client‑side execution of injected scripts, the impact is confined to users who visit the compromised page; it does not require prior authentication or administrative access. The vulnerability is not listed in the CISA KEV catalog, but it remains a legitimate risk for any site running vulnerable plugin versions.

Generated by OpenCVE AI on April 21, 2026 at 16:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP Widget Changer plugin to the latest available version that removes the lack of input filtering.
  • If an upgrade is not immediately feasible, remove or disable the Widget Changer plugin until a fixed version is installed.
  • Ensure that any custom widget code in the site applies proper output escaping or input validation to avoid passing unsanitized data to the browser.

Generated by OpenCVE AI on April 21, 2026 at 16:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 07 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 Jan 2026 09:30:00 +0000

Type Values Removed Values Added
Description The WP Widget Changer plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.2.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Title WP Widget Changer <= 1.2.5 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:58:40.887Z

Reserved: 2025-12-05T17:05:02.838Z

Link: CVE-2025-14131

cve-icon Vulnrichment

Updated: 2026-01-07T15:16:18.914Z

cve-icon NVD

Status : Deferred

Published: 2026-01-07T12:16:53.817

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14131

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T16:45:15Z

Weaknesses