HTML Forms – Simple WordPress Forms Plugin

6.1 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Description

The HTML Forms – Simple WordPress Forms Plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in all versions up to and including 1.6.0 due to insufficient sanitization of fabricated file upload field metadata before displaying it in the WordPress admin dashboard. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute whenever an administrator accesses the form submissions page.

Basic Information

ID CVE-2025-13861

Source Wordfence

Published Dec 17, 2025 at 04:31

Affected Product

Vendor linksoftware

Product HTML Forms – Simple WordPress Forms Plugin

Version *

Affected Versions linksoftware HTML Forms – Simple WordPress Forms Plugin *

CWE Classification

CWE-79

References

{
    "lastseen": "",
    "description": "The HTML Forms \u2013 Simple WordPress Forms Plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in all versions up to and including 1.6.0 due to insufficient sanitization of fabricated file upload field metadata before displaying it in the WordPress admin dashboard. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute whenever an administrator accesses the form submissions page.",
    "published": "2025-12-17T04:31:30.671Z",
    "modified": "2025-12-17T04:31:30.671Z",
    "type": "cve",
    "title": "HTML Forms \u2013 Simple WordPress Forms Plugin <= 1.6.0 - Unauthenticated Stored Cross-Site Scripting",
    "source": "Wordfence",
    "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/52e2f1b9-d240-4813-9124-51bd6b047553?source=cve\nhttps://plugins.trac.wordpress.org/browser/html-forms/trunk/src/functions.php#L321\nhttps://plugins.trac.wordpress.org/browser/html-forms/trunk/src/functions.php#L357\nhttps://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3419926%40html-forms%2Ftrunk&old=3407043%40html-forms%2Ftrunk&sfp_email=&sfph_mail=",
    "id": "CVE-2025-13861",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "linksoftware HTML Forms \u2013 Simple WordPress Forms Plugin *",
    "sourceHref": "",
    "cvss": {
        "score": 6.1,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "HTML Forms \u2013 Simple WordPress Forms Plugin",
    "version": "*",
    "vendor": "linksoftware",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

HTML Forms – Simple WordPress Forms Plugin <= 1.6.0 - Unauthenticated Stored Cross-Site Scripting_CVE-2025-13861