CVE-2025-13746 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the ForumWP – Forum & Discussion Board plugin for WordPress, affecting all versions up to and including 2.1.6. The vulnerability stems from insufficient input sanitization and output escaping of the User's Display Name field. Authenticated users with Subscriber-level permissions or higher can inject arbitrary JavaScript code into the display name, which is then stored and rendered on forum pages. When other users access these pages, the malicious scripts execute in their browsers within the context of the vulnerable site. This can lead to theft of session cookies, unauthorized actions performed on behalf of users, defacement, or redirection to malicious sites. The vulnerability requires no user interaction beyond page viewing but does require the attacker to be authenticated, which limits remote anonymous exploitation. The CVSS 3.1 score of 6.4 reflects a medium severity with network attack vector, low attack complexity, privileges required, no user interaction, and a scope change due to the impact on other users. No public exploits are currently known, but the vulnerability poses a significant risk to sites using this plugin, especially those with large user bases or sensitive data. The lack of available patches at the time of reporting necessitates immediate mitigation efforts by administrators.

The impact of CVE-2025-13746 is primarily on the confidentiality and integrity of affected WordPress sites using the ForumWP plugin. Successful exploitation allows attackers to execute arbitrary scripts in the context of other users, potentially leading to session hijacking, credential theft, unauthorized actions, and defacement. This can undermine user trust and lead to data breaches or account compromise. Since the vulnerability is stored XSS, the malicious payload persists and can affect multiple users over time. Organizations with active online communities or forums are at risk of reputational damage and operational disruption. Although availability is not directly impacted, the indirect consequences such as user lockout or administrative overhead can be significant. The requirement for authenticated access reduces the attack surface but does not eliminate risk, especially in environments with many registered users or weak account controls. The vulnerability could be leveraged as a foothold for further attacks within the network or to spread malware via social engineering.

Administrators should immediately upgrade the ForumWP plugin to a version that addresses this vulnerability once available. Until a patch is released, implement strict input validation and output encoding on the User's Display Name field at the application or web server level, if possible. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious script injections targeting the display name parameter. Restrict user permissions to the minimum necessary, limiting Subscriber-level users from editing display names if feasible. Conduct regular security audits and monitor logs for unusual activities related to user profile changes or script injections. Educate users about the risks of XSS and encourage reporting of suspicious forum behavior. Consider disabling or restricting the forum plugin temporarily if the risk is unacceptable and no immediate patch is available. Finally, implement Content Security Policy (CSP) headers to reduce the impact of any injected scripts by restricting script sources.