Description
The HTML Forms – Simple WordPress Forms Plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in all versions up to and including 1.6.0 due to insufficient sanitization of fabricated file upload field metadata before displaying it in the WordPress admin dashboard. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute whenever an administrator accesses the form submissions page.
Published: 2025-12-17
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated Stored Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

The HTML Forms – Simple WordPress Forms Plugin is vulnerable to an unauthenticated stored cross‑site scripting flaw caused by insufficient sanitization of file upload field metadata before it is displayed in the WordPress admin dashboard. An attacker can inject arbitrary web scripts that are executed every time an administrator visits the form submissions page, potentially allowing session hijacking, credential theft, or other malicious actions that compromise the confidentiality and integrity of the site. The weakness is a classic input validation error (CWE‑79).

Affected Systems

All installations of the HTML Forms – Simple WordPress Forms Plugin with versions 1.6.0 or earlier, which are common on WordPress sites. The vulnerability applies to the plugin’s handling of uploaded file metadata and is present in every release up to and including 1.6.0.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity, while the EPSS < 1% score implies a low probability of exploitation at this time. The flaw is not listed in the CISA KEV catalog, suggesting it has not yet been widely exploited in the wild. The attack vector is unauthenticated, enabling any web visitor to craft malicious file metadata that is stored and later rendered in an administrator’s browser. Exploitation requires that the attacker can submit a file via the plugin’s upload interface, after which the malicious script will load whenever an admin accesses the submissions page.

Generated by OpenCVE AI on April 21, 2026 at 17:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the HTML Forms – Simple WordPress Forms Plugin to the latest version that contains the stored‑XSS fix.
  • If an immediate upgrade is not feasible, restrict access to the form submissions page to trusted administrators and ensure no unauthenticated users can add or view file metadata.
  • Implement robust input validation and sanitization for all file upload field metadata before storing or rendering it, for example by using WordPress’s esc_html() or wp_kses_post() functions.

Generated by OpenCVE AI on April 21, 2026 at 17:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 17 Dec 2025 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Linksoftware
Linksoftware html Forms
Wordpress
Wordpress wordpress
Vendors & Products Linksoftware
Linksoftware html Forms
Wordpress
Wordpress wordpress

Wed, 17 Dec 2025 04:45:00 +0000

Type Values Removed Values Added
Description The HTML Forms – Simple WordPress Forms Plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in all versions up to and including 1.6.0 due to insufficient sanitization of fabricated file upload field metadata before displaying it in the WordPress admin dashboard. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute whenever an administrator accesses the form submissions page.
Title HTML Forms – Simple WordPress Forms Plugin <= 1.6.0 - Unauthenticated Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Linksoftware Html Forms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:52:56.127Z

Reserved: 2025-12-01T21:05:53.563Z

Link: CVE-2025-13861

cve-icon Vulnrichment

Updated: 2025-12-17T19:29:23.316Z

cve-icon NVD

Status : Deferred

Published: 2025-12-17T05:16:10.977

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13861

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T17:15:25Z

Weaknesses