CVE-2025-13861 is a stored cross-site scripting vulnerability identified in the HTML Forms – Simple WordPress Forms Plugin developed by linksoftware, affecting all versions up to and including 1.6.0. The root cause is insufficient sanitization of fabricated file upload field metadata before it is displayed in the WordPress admin dashboard's form submissions page. An unauthenticated attacker can exploit this by submitting maliciously crafted metadata that contains arbitrary JavaScript code. When an administrator accesses the form submissions page, the injected script executes in their browser context, potentially allowing the attacker to hijack admin sessions, perform actions on behalf of the admin, or steal sensitive information. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), a common web application security flaw. The CVSS 3.1 base score is 6.1, reflecting medium severity, with an attack vector of network (remote), no privileges required, low attack complexity, and requiring user interaction (admin viewing the page). The scope is changed (S:C) because the vulnerability affects components beyond the vulnerable plugin itself, impacting the WordPress admin environment. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date (December 17, 2025).

The primary impact of this vulnerability is on the confidentiality and integrity of WordPress administrative sessions and data. Successful exploitation can lead to session hijacking, allowing attackers to impersonate administrators and perform unauthorized actions such as modifying site content, changing configurations, or installing malicious plugins. This can further lead to website defacement, data leakage, or complete site compromise. Since the vulnerability requires only that an administrator views the malicious input, it can be triggered remotely without authentication, increasing the risk. The availability impact is minimal as the vulnerability does not directly cause denial of service. However, the broader consequences of compromised administrative control can indirectly affect site availability. Organizations relying on this plugin for form handling are at risk, especially those with high administrative activity or multiple administrators. The lack of known exploits in the wild suggests limited current exploitation but also highlights the need for proactive mitigation before attackers develop weaponized payloads.

To mitigate this vulnerability, organizations should immediately update the HTML Forms – Simple WordPress Forms Plugin to a patched version once available from the vendor. Until a patch is released, administrators should restrict access to the form submissions page to trusted personnel only and avoid opening it in untrusted environments. Implementing a Web Application Firewall (WAF) with rules to detect and block suspicious script payloads in form submissions can reduce risk. Additionally, hardening WordPress security by enforcing strong administrator authentication (e.g., multi-factor authentication), limiting administrator accounts, and monitoring admin activity logs can help detect and prevent exploitation. Reviewing and sanitizing all user-generated input fields, especially file upload metadata, is critical. Site owners should also consider disabling or replacing the vulnerable plugin with alternative form plugins that follow secure coding practices. Regular backups and incident response plans should be in place to recover from potential compromises.