Reflected Cross-Site Scripting Vulnerability in myLCO Plugin for WordPress
CVE-2025-13626

6.1MEDIUM

Key Information:

Vendor: WordPress
Status: Mylco
Vendor: CVE Published:; 6 December 2025

What is CVE-2025-13626?

The myLCO plugin for WordPress has a vulnerability that allows reflected cross-site scripting (XSS) attacks through the $_SERVER['PHP_SELF'] parameter. This issue emerges due to inadequate input sanitization and output escaping across all versions up to 0.8.1. Malicious actors can exploit this flaw to inject arbitrary web scripts, which execute when users are tricked into clicking on a specially crafted link. Proper mitigation involves ensuring comprehensive input validation and output encoding to safeguard user interactions.

Affected Version(s)

myLCO * <= 0.8.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/mylco

https://plugins.trac.wordpress.org/browser/mylco/trunk/my...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 6, 2025
Vulnerability Reserved
Nov 24, 2025

Credit

Abdulsamad Yusuf

JSON