{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13910", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-02T16:51:50.733Z", "datePublished": "2026-03-21T03:26:43.845Z", "dateUpdated": "2026-04-08T16:49:19.303Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:49:19.303Z"}, "affected": [{"vendor": "axton", "product": "WP-WebAuthn", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.3.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP-WebAuthn plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting via the `wwa_auth` AJAX endpoint in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping on user supplied attributes logged by the plugin. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the plugin's log page, provided that the logging option is enabled in the plugin settings."}], "title": "WP-WebAuthn <= 1.3.4 - Unauthenticated Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/44407fad-6ad4-4437-930f-b25a6c6203aa?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-webauthn/tags/1.3.4/wwa-ajax.php#L906"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-webauthn/tags/1.3.4/wwa-ajax.php#L982"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-webauthn/tags/1.3.4/wwa-admin-content.php#L319"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "wesley"}], "timeline": [{"time": "2026-03-20T15:20:53.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T16:06:51.139208Z", "id": "CVE-2025-13910", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T16:07:29.907Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13910", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-23T16:06:51.139208Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T16:07:20.236Z"}}], "cna": {"title": "WP-WebAuthn <= 1.3.4 - Unauthenticated Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "wesley"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "axton", "product": "WP-WebAuthn", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.3.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-20T15:20:53.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/44407fad-6ad4-4437-930f-b25a6c6203aa?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-webauthn/tags/1.3.4/wwa-ajax.php#L906"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-webauthn/tags/1.3.4/wwa-ajax.php#L982"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-webauthn/tags/1.3.4/wwa-admin-content.php#L319"}], "descriptions": [{"lang": "en", "value": "The WP-WebAuthn plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting via the `wwa_auth` AJAX endpoint in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping on user supplied attributes logged by the plugin. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the plugin's log page, provided that the logging option is enabled in the plugin settings."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-21T03:26:43.845Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13910", "state": "PUBLISHED", "dateUpdated": "2026-03-23T16:07:29.907Z", "dateReserved": "2025-12-02T16:51:50.733Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-21T03:26:43.845Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP-WebAuthn plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting via the `wwa_auth` AJAX endpoint in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping on user supplied attributes logged by the plugin. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the plugin's log page, provided that the logging option is enabled in the plugin settings."}, {"lang": "es", "value": "El plugin WP-WebAuthn para WordPress es vulnerable a cross-site scripting almacenado no autenticado a trav\u00e9s del endpoint AJAX 'wwa_auth' en todas las versiones hasta la 1.3.4, inclusive, debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes en los atributos proporcionados por el usuario y registrados por el plugin. Esto hace posible que atacantes no autenticados inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a la p\u00e1gina de registro del plugin, siempre que la opci\u00f3n de registro est\u00e9 habilitada en la configuraci\u00f3n del plugin."}], "id": "CVE-2025-13910", "lastModified": "2026-04-22T21:32:08.360", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-21T04:16:49.060", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-webauthn/tags/1.3.4/wwa-admin-content.php#L319"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-webauthn/tags/1.3.4/wwa-ajax.php#L906"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-webauthn/tags/1.3.4/wwa-ajax.php#L982"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/44407fad-6ad4-4437-930f-b25a6c6203aa?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.3.4]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "WP-WebAuthn", "source": "cna", "vendor": "axton"}, "product": "wp-webauthn", "vendor": "axton"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-21T06:25:52.948960+00:00", "value": {"mitigation_remediation": ["Update WP\u2011WebAuthn to the latest available version (any release newer than 1.3.4).", "If an immediate upgrade is not possible, disable the logging feature in the plugin settings to prevent script storage.", "Verify that the site\u2019s rest of the WordPress installation is up\u2011to\u2011date and that all other plugins are patched."], "summary": {"action": "Patch Immediately", "impact": "Unauthenticated Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "WP\u2011WebAuthn, a WordPress plugin developed by axton, is affected in all releases up to and including version 1.3.4. Users running any of those versions with the logging option enabled are exposed; newer releases past 1.3.4 are presumed to contain the fix.", "description_and_impact": "The WP\u2011WebAuthn plugin contains a flaw that allows an attacker without authentication to insert arbitrary HTML or JavaScript into the plugin\u2019s log page. The vulnerability arises from insufficient sanitization and output escaping of user\u2011supplied attributes that are recorded by the plugin whenever the logging feature is enabled. When a logged\u2011in user opens the log page, the injected code runs in the victim\u2019s browser, potentially dropping malicious scripts or compromising session data. The primary weakness is a classic client\u2011side injection (CWE\u201179).", "risk_and_exploitability": "The CVSS score of 6.1 reflects medium severity, indicating that while the vulnerability is not immediately catastrophic, it can lead to significant compromise if exploited in a session\u2011tainting context. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog, suggesting limited public exploitation yet. The attack is inferred to be an unauthenticated request to the wwa_auth AJAX endpoint, which makes it easily exploitable by any visitor able to load the log page after the payload is stored."}}}}, "created": "2026-03-23T09:50:44.072687+00:00", "updated": "2026-03-25T14:42:17.366558+00:00", "vendors": ["axton", "axton$PRODUCT$wp-webauthn", "wordpress", "wordpress$PRODUCT$wordpress"]}