Reflected Cross-Site Scripting Vulnerability in WPLG Default Mail From Plugin for WordPress
CVE-2025-14138
6.1MEDIUM
What is CVE-2025-14138?
The WPLG Default Mail From plugin for WordPress is susceptible to a Reflected Cross-Site Scripting (XSS) flaw that arises from inadequate input sanitization and output escaping of the $_SERVER['PHP_SELF'] variable. This vulnerability enables unauthenticated attackers to inject arbitrary scripts onto web pages, potentially executing harmful code if a targeted user is deceived into clicking a malicious link. It is crucial for website owners to implement immediate measures to secure their installations against such attacks.
Affected Version(s)
WPLG Default Mail From * <= 1.0.0