CVE-2025-13861 is a stored cross-site scripting vulnerability classified under CWE-79, affecting the HTML Forms – Simple WordPress Forms Plugin developed by linksoftware. The vulnerability exists due to insufficient sanitization of fabricated file upload field metadata before it is rendered in the WordPress admin dashboard's form submissions page. This flaw allows unauthenticated attackers to inject arbitrary JavaScript code that is stored persistently and executed whenever an administrator accesses the affected page. The attack vector requires no privileges or authentication, making it highly accessible to remote attackers. The vulnerability impacts all versions up to and including 1.6.0 of the plugin. The CVSS 3.1 base score is 6.1, indicating a medium severity with network attack vector, low attack complexity, no privileges required, but requiring user interaction (administrator viewing the page). The scope is changed (S:C), meaning the vulnerability can affect resources beyond the vulnerable component. The impact affects confidentiality and integrity partially, as malicious scripts could steal admin session tokens, perform actions on behalf of the admin, or manipulate displayed data. No known public exploits have been reported yet, but the vulnerability's nature makes it a candidate for targeted attacks against WordPress administrators. The lack of a patch link suggests that a fix may not yet be publicly available, emphasizing the need for interim mitigations.

For European organizations, this vulnerability poses a risk primarily to the confidentiality and integrity of WordPress administrative environments. Successful exploitation could allow attackers to hijack administrator sessions, manipulate form submission data, or perform administrative actions, potentially leading to further compromise of the website or underlying infrastructure. Organizations relying on the affected plugin for customer interactions or data collection may face data leakage or defacement risks. Given the unauthenticated nature of the attack, any exposed WordPress site using this plugin is at risk, especially those with high administrative traffic. The impact is magnified in sectors where WordPress is widely used for public-facing websites, including government, education, and SMEs across Europe. The vulnerability could also be leveraged as a foothold for lateral movement or to deploy additional malware, affecting business continuity and trust. Although no exploits are known in the wild, the medium severity and ease of exploitation warrant prompt attention to prevent potential targeted attacks.

1. Immediate mitigation should include restricting access to the WordPress admin dashboard to trusted IP addresses or VPNs to reduce exposure to unauthenticated attackers. 2. Implement Web Application Firewall (WAF) rules to detect and block suspicious payloads targeting the form submissions page, focusing on script injection patterns in file upload metadata. 3. Disable or remove the HTML Forms – Simple WordPress Forms Plugin if it is not essential, or replace it with a more secure alternative that properly sanitizes inputs. 4. Monitor administrative access logs for unusual activity or repeated access to the form submissions page from unknown sources. 5. Educate administrators to avoid accessing the form submissions page from untrusted networks until a patch is available. 6. Regularly update WordPress core and plugins, and subscribe to vendor advisories for timely patch releases. 7. Use Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of XSS attacks. 8. Conduct internal security audits focusing on plugin usage and input sanitization practices to identify similar vulnerabilities.