CVE-2025-14125
📋 TL;DR
The Complag WordPress plugin up to version 1.0.2 contains a reflected cross-site scripting (XSS) vulnerability that allows unauthenticated attackers to inject malicious scripts via the PHP_SELF variable. This affects all WordPress sites using vulnerable versions of the Complag plugin. Attackers can exploit this by tricking users into clicking specially crafted links.
💻 Affected Systems
- WordPress Complag Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, redirect users to malicious sites, perform actions on behalf of authenticated users, or deliver malware payloads.
Likely Case
Attackers will typically use this to steal session cookies or redirect users to phishing pages to harvest credentials.
If Mitigated
With proper web application firewalls and browser security controls, the impact is limited to individual user sessions rather than server compromise.
🎯 Exploit Status
Reflected XSS vulnerabilities are commonly exploited and require minimal technical skill. Attackers only need to craft malicious URLs and trick users into clicking them.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.3 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/omplag/trunk/complag.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Complag plugin. 4. Click 'Update Now' if update is available. 5. If no update appears, manually download version 1.0.3+ from WordPress plugin repository and replace the plugin files.
🔧 Temporary Workarounds
Disable Complag Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate complag
Web Application Firewall Rule
allAdd WAF rule to block requests containing malicious script patterns in PHP_SELF parameter
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution
- Use browser security features like X-XSS-Protection and X-Content-Type-Options headers
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins for Complag version. If version is 1.0.2 or lower, you are vulnerable.Check Version:
wp plugin list --name=complag --field=versionVerify Fix Applied:
After updating, verify the plugin version shows 1.0.3 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual GET/POST requests containing script tags or JavaScript in URL parameters
- Multiple failed requests to Complag plugin endpoints with suspicious parameters
Network Indicators:
- HTTP requests with JavaScript payloads in URL parameters
- Traffic patterns showing users being redirected after visiting Complag plugin pages
SIEM Query:
source="web_server_logs" AND (uri="*complag*" AND (uri="*<script*" OR uri="*javascript:*" OR uri="*onload=*"))