CVE-2025-13910 is a stored cross-site scripting (XSS) vulnerability identified in the WP-WebAuthn plugin for WordPress, affecting all versions up to and including 1.3.4. The vulnerability arises from insufficient sanitization and escaping of user-supplied input that is logged and subsequently rendered on the plugin's log page via the wwa_auth AJAX endpoint. Because the input is not properly neutralized, an unauthenticated attacker can craft malicious JavaScript payloads that get stored in the plugin's logs. When an administrator or user with access to the log page views it, the malicious script executes in their browser context. This can lead to session hijacking, credential theft, or other malicious actions within the context of the logged-in user. The vulnerability does not require authentication to exploit but does require that the logging feature is enabled and that a user visits the log page, thus involving user interaction. The CVSS v3.1 score of 6.1 reflects a medium severity, with network attack vector, low attack complexity, no privileges required, but user interaction necessary. The scope is changed because the vulnerability affects the confidentiality and integrity of user sessions and data. No public exploits have been reported yet, but the vulnerability is publicly disclosed and should be addressed promptly. The root cause is a classic CWE-79 improper neutralization of input during web page generation, a common web application security flaw. Mitigation involves sanitizing and escaping all user inputs before logging and rendering, or disabling the logging feature until a patch is available.

The primary impact of this vulnerability is the potential compromise of user confidentiality and integrity on WordPress sites using the WP-WebAuthn plugin. Attackers can inject malicious scripts that execute in the context of users who view the plugin's log page, potentially leading to session hijacking, theft of authentication tokens, or unauthorized actions performed on behalf of the user. This can undermine trust in the affected website, lead to unauthorized access, and facilitate further attacks such as privilege escalation or data exfiltration. Since the vulnerability is exploitable without authentication, it increases the attack surface significantly. However, the requirement for user interaction (visiting the log page) limits automated exploitation. The availability of the site is not directly impacted. Organizations relying on WP-WebAuthn for WebAuthn-based authentication may face increased risk of account compromise and should treat this vulnerability seriously to maintain secure authentication flows.

1. Immediately disable the logging feature in the WP-WebAuthn plugin settings if it is enabled, to prevent malicious script injection and execution until a patch is available. 2. Monitor official WP-WebAuthn plugin channels and WordPress plugin repositories for updates or patches addressing CVE-2025-13910 and apply them promptly once released. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious payloads targeting the wwa_auth AJAX endpoint, focusing on script injection patterns. 4. Restrict access to the plugin's log page to only trusted administrators and consider additional authentication or IP whitelisting to reduce exposure. 5. Conduct regular security audits and input validation reviews for all plugins handling user-generated content, emphasizing proper sanitization and output encoding. 6. Educate administrators and users about the risks of visiting untrusted or unexpected plugin pages, especially those that display logs or user input. 7. Consider deploying Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on the affected site. 8. Review and harden WordPress site security posture overall, including least privilege principles for user roles and plugin management.