CVE-2025-13861: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in linksoftware HTML Forms – Simple WordPress Forms Plugin
The HTML Forms – Simple WordPress Forms Plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in all versions up to and including 1.6.0 due to insufficient sanitization of fabricated file upload field metadata before displaying it in the WordPress admin dashboard. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute whenever an administrator accesses the form submissions page.
AI Analysis
Technical Summary
The HTML Forms – Simple WordPress Forms Plugin for WordPress suffers from an unauthenticated stored cross-site scripting vulnerability (CWE-79) in all versions up to and including 1.6.0. The issue is due to inadequate sanitization of fabricated file upload field metadata, which is then displayed in the WordPress admin dashboard's form submissions page. This flaw enables attackers without authentication to inject arbitrary web scripts that execute in the context of an administrator's browser session when accessing the affected page. The CVSS 3.1 base score is 6.1, reflecting a medium severity with network attack vector, low attack complexity, no privileges required, and user interaction required, impacting confidentiality and integrity with no availability impact.
Potential Impact
Successful exploitation allows unauthenticated attackers to inject and execute arbitrary scripts in the administrator's browser when viewing form submissions. This can lead to partial confidentiality and integrity compromise, such as theft of admin session cookies or manipulation of admin interface content. There is no direct impact on system availability. No known exploits in the wild have been reported to date.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, administrators should limit access to the form submissions page to trusted users only and consider disabling or removing the vulnerable plugin. Monitoring for suspicious activity related to admin dashboard access is advisable. Avoid interacting with untrusted form submissions or file uploads that could contain malicious metadata.
CVE-2025-13861: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in linksoftware HTML Forms – Simple WordPress Forms Plugin
Description
The HTML Forms – Simple WordPress Forms Plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in all versions up to and including 1.6.0 due to insufficient sanitization of fabricated file upload field metadata before displaying it in the WordPress admin dashboard. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute whenever an administrator accesses the form submissions page.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The HTML Forms – Simple WordPress Forms Plugin for WordPress suffers from an unauthenticated stored cross-site scripting vulnerability (CWE-79) in all versions up to and including 1.6.0. The issue is due to inadequate sanitization of fabricated file upload field metadata, which is then displayed in the WordPress admin dashboard's form submissions page. This flaw enables attackers without authentication to inject arbitrary web scripts that execute in the context of an administrator's browser session when accessing the affected page. The CVSS 3.1 base score is 6.1, reflecting a medium severity with network attack vector, low attack complexity, no privileges required, and user interaction required, impacting confidentiality and integrity with no availability impact.
Potential Impact
Successful exploitation allows unauthenticated attackers to inject and execute arbitrary scripts in the administrator's browser when viewing form submissions. This can lead to partial confidentiality and integrity compromise, such as theft of admin session cookies or manipulation of admin interface content. There is no direct impact on system availability. No known exploits in the wild have been reported to date.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, administrators should limit access to the form submissions page to trusted users only and consider disabling or removing the vulnerable plugin. Monitoring for suspicious activity related to admin dashboard access is advisable. Avoid interacting with untrusted form submissions or file uploads that could contain malicious metadata.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-12-01T21:05:53.563Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69423560364d4dab9cc00c3e
Added to database: 12/17/2025, 4:45:20 AM
Last enriched: 4/9/2026, 4:37:50 PM
Last updated: 5/8/2026, 2:10:13 AM
Views: 164
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.