Description
The WP-WebAuthn plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting via the `wwa_auth` AJAX endpoint in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping on user supplied attributes logged by the plugin. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the plugin's log page, provided that the logging option is enabled in the plugin settings.
Published: 2026-03-21
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated Stored Cross‑Site Scripting
Action: Patch Immediately
AI Analysis

Impact

The WP‑WebAuthn plugin contains a flaw that allows an attacker without authentication to insert arbitrary HTML or JavaScript into the plugin’s log page. The vulnerability arises from insufficient sanitization and output escaping of user‑supplied attributes that are recorded by the plugin whenever the logging feature is enabled. When a logged‑in user opens the log page, the injected code runs in the victim’s browser, potentially dropping malicious scripts or compromising session data. The primary weakness is a classic client‑side injection (CWE‑79).

Affected Systems

WP‑WebAuthn, a WordPress plugin developed by axton, is affected in all releases up to and including version 1.3.4. Users running any of those versions with the logging option enabled are exposed; newer releases past 1.3.4 are presumed to contain the fix.

Risk and Exploitability

The CVSS score of 6.1 reflects medium severity, indicating that while the vulnerability is not immediately catastrophic, it can lead to significant compromise if exploited in a session‑tainting context. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog, suggesting limited public exploitation yet. The attack is inferred to be an unauthenticated request to the wwa_auth AJAX endpoint, which makes it easily exploitable by any visitor able to load the log page after the payload is stored.

Generated by OpenCVE AI on March 21, 2026 at 06:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WP‑WebAuthn to the latest available version (any release newer than 1.3.4).
  • If an immediate upgrade is not possible, disable the logging feature in the plugin settings to prevent script storage.
  • Verify that the site’s rest of the WordPress installation is up‑to‑date and that all other plugins are patched.

Generated by OpenCVE AI on March 21, 2026 at 06:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Axton
Axton wp-webauthn
Wordpress
Wordpress wordpress
Vendors & Products Axton
Axton wp-webauthn
Wordpress
Wordpress wordpress

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description The WP-WebAuthn plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting via the `wwa_auth` AJAX endpoint in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping on user supplied attributes logged by the plugin. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the plugin's log page, provided that the logging option is enabled in the plugin settings.
Title WP-WebAuthn <= 1.3.4 - Unauthenticated Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Axton Wp-webauthn
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:49:19.303Z

Reserved: 2025-12-02T16:51:50.733Z

Link: CVE-2025-13910

cve-icon Vulnrichment

Updated: 2026-03-23T16:07:20.236Z

cve-icon NVD

Status : Deferred

Published: 2026-03-21T04:16:49.060

Modified: 2026-04-22T21:32:08.360

Link: CVE-2025-13910

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:42:17Z

Weaknesses