CVE-2025-13861 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79 affecting the HTML Forms – Simple WordPress Forms Plugin developed by linksoftware. The vulnerability exists in all versions up to and including 1.6.0 due to improper sanitization of fabricated file upload field metadata before it is rendered in the WordPress admin dashboard. An unauthenticated attacker can exploit this by submitting maliciously crafted metadata that is stored and later executed as JavaScript when an administrator accesses the form submissions page. This attack vector does not require any authentication, making it easier for remote attackers to exploit. The vulnerability impacts the confidentiality and integrity of the administrator’s session and data, as malicious scripts can steal cookies, perform actions on behalf of the admin, or inject further malicious payloads. The CVSS v3.1 base score is 6.1, reflecting medium severity with network attack vector, low attack complexity, no privileges required, but requiring user interaction (admin visiting the page). The scope is changed (S:C) because the vulnerability affects resources beyond the initially vulnerable component. No patches were linked at the time of publication, and no known exploits in the wild have been reported. The vulnerability highlights the risks of insufficient input validation and output encoding in WordPress plugins, especially those handling file uploads and admin interfaces.

For European organizations, this vulnerability poses a significant risk to WordPress-based websites that use the affected plugin. Successful exploitation can lead to administrative account compromise, unauthorized actions within the WordPress backend, and potential data leakage. This can result in defacement, data theft, or further malware deployment. Organizations handling sensitive customer data or critical business operations through WordPress sites are particularly vulnerable. The attack requires no authentication, increasing the attack surface. Given the widespread use of WordPress across Europe, especially in SMEs and public sector websites, the impact could be broad. Compromise of administrative accounts can also lead to supply chain risks if the WordPress site integrates with other internal systems. Additionally, GDPR compliance could be affected if personal data is exposed or mishandled due to this vulnerability.

Immediate mitigation should focus on restricting access to the WordPress admin dashboard to trusted IP addresses or VPN users to reduce exposure. Administrators should avoid accessing the form submissions page until a patch is available. Implementing Web Application Firewall (WAF) rules to detect and block malicious payloads targeting the file upload metadata fields can provide temporary protection. Monitoring logs for suspicious POST requests to the form submission endpoints is recommended. Plugin developers and site administrators should prioritize releasing and applying patches that properly sanitize and encode all user-supplied metadata before rendering. As a temporary workaround, disabling or removing the vulnerable plugin can eliminate the attack vector. Regular backups and incident response plans should be reviewed to prepare for potential exploitation. Educating administrators about the risk of clicking untrusted links or accessing suspicious admin pages can reduce successful exploitation likelihood.