{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13861", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-01T21:05:53.563Z", "datePublished": "2025-12-17T04:31:30.671Z", "dateUpdated": "2026-04-08T16:52:56.127Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:52:56.127Z"}, "affected": [{"vendor": "linksoftware", "product": "HTML Forms \u2013 Simple WordPress Forms Plugin", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.6.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The HTML Forms \u2013 Simple WordPress Forms Plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in all versions up to and including 1.6.0 due to insufficient sanitization of fabricated file upload field metadata before displaying it in the WordPress admin dashboard. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute whenever an administrator accesses the form submissions page."}], "title": "HTML Forms \u2013 Simple WordPress Forms Plugin <= 1.6.0 - Unauthenticated Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/52e2f1b9-d240-4813-9124-51bd6b047553?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/html-forms/trunk/src/functions.php#L321"}, {"url": "https://plugins.trac.wordpress.org/browser/html-forms/trunk/src/functions.php#L357"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3419926%40html-forms%2Ftrunk&old=3407043%40html-forms%2Ftrunk&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Itthidej Aramsri"}], "timeline": [{"time": "2025-12-01T21:27:30.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-12-16T16:01:44.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-17T19:29:09.431683Z", "id": "CVE-2025-13861", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-17T19:29:33.125Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13861", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-17T19:29:09.431683Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-17T19:29:23.316Z"}}], "cna": {"title": "HTML Forms \u2013 Simple WordPress Forms Plugin <= 1.6.0 - Unauthenticated Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Itthidej Aramsri"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "linksoftware", "product": "HTML Forms \u2013 Simple WordPress Forms Plugin", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.6.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-01T21:27:30.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-12-16T16:01:44.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/52e2f1b9-d240-4813-9124-51bd6b047553?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/html-forms/trunk/src/functions.php#L321"}, {"url": "https://plugins.trac.wordpress.org/browser/html-forms/trunk/src/functions.php#L357"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3419926%40html-forms%2Ftrunk&old=3407043%40html-forms%2Ftrunk&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The HTML Forms \u2013 Simple WordPress Forms Plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in all versions up to and including 1.6.0 due to insufficient sanitization of fabricated file upload field metadata before displaying it in the WordPress admin dashboard. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute whenever an administrator accesses the form submissions page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:52:56.127Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13861", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:52:56.127Z", "dateReserved": "2025-12-01T21:05:53.563Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-17T04:31:30.671Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The HTML Forms \u2013 Simple WordPress Forms Plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in all versions up to and including 1.6.0 due to insufficient sanitization of fabricated file upload field metadata before displaying it in the WordPress admin dashboard. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute whenever an administrator accesses the form submissions page."}], "id": "CVE-2025-13861", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-17T05:16:10.977", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/html-forms/trunk/src/functions.php#L321"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/html-forms/trunk/src/functions.php#L357"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3419926%40html-forms%2Ftrunk&old=3407043%40html-forms%2Ftrunk&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/52e2f1b9-d240-4813-9124-51bd6b047553?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T17:03:52.179062+00:00", "value": {"mitigation_remediation": ["Upgrade the HTML Forms \u2013 Simple WordPress Forms Plugin to the latest version that contains the stored\u2011XSS fix.", "If an immediate upgrade is not feasible, restrict access to the form submissions page to trusted administrators and ensure no unauthenticated users can add or view file metadata.", "Implement robust input validation and sanitization for all file upload field metadata before storing or rendering it, for example by using WordPress\u2019s esc_html() or wp_kses_post() functions."], "summary": {"action": "Immediate Patch", "impact": "Unauthenticated Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "All installations of the HTML Forms \u2013 Simple WordPress Forms Plugin with versions 1.6.0 or earlier, which are common on WordPress sites. The vulnerability applies to the plugin\u2019s handling of uploaded file metadata and is present in every release up to and including 1.6.0.", "description_and_impact": "The HTML Forms \u2013 Simple WordPress Forms Plugin is vulnerable to an unauthenticated stored cross\u2011site scripting flaw caused by insufficient sanitization of file upload field metadata before it is displayed in the WordPress admin dashboard. An attacker can inject arbitrary web scripts that are executed every time an administrator visits the form submissions page, potentially allowing session hijacking, credential theft, or other malicious actions that compromise the confidentiality and integrity of the site. The weakness is a classic input validation error (CWE\u201179).", "risk_and_exploitability": "The CVSS score of 6.1 indicates moderate severity, while the EPSS < 1% score implies a low probability of exploitation at this time. The flaw is not listed in the CISA KEV catalog, suggesting it has not yet been widely exploited in the wild. The attack vector is unauthenticated, enabling any web visitor to craft malicious file metadata that is stored and later rendered in an administrator\u2019s browser. Exploitation requires that the attacker can submit a file via the plugin\u2019s upload interface, after which the malicious script will load whenever an admin accesses the submissions page."}}}}, "created": "2025-12-17T14:28:43.870813+00:00", "updated": "2026-04-21T17:15:25.327404+00:00", "vendors": ["linksoftware", "linksoftware$PRODUCT$html_forms", "wordpress", "wordpress$PRODUCT$wordpress"]}