CVE-2025-13728
Stored XSS in FluentAuth WordPress Plugin Allows Script Injection
Publication date: 2025-12-15
Last updated on: 2025-12-15
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fluentauth | fluent_auth | 2.0.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the FluentAuth WordPress plugin, specifically in the `fluent_auth_reset_password` shortcode. It occurs because the plugin does not properly sanitize or escape user-supplied attributes. As a result, authenticated users with contributor-level access or higher can inject malicious scripts into pages. These scripts execute whenever any user accesses the infected page, potentially compromising user data or site integrity.
How can this vulnerability impact me? :
The vulnerability allows authenticated attackers with contributor-level access or above to inject arbitrary web scripts into pages. This can lead to unauthorized actions such as stealing user credentials, hijacking user sessions, defacing the website, or distributing malware to visitors. Since the injected scripts execute in the context of the site, it can compromise the security and trustworthiness of the affected WordPress site.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if the FluentAuth WordPress plugin version 2.0.3 or earlier is installed and if the `fluent_auth_reset_password` shortcode is used in pages. Since the vulnerability is a Stored Cross-Site Scripting (XSS) via insufficient input sanitization on user-supplied attributes, one approach is to scan for pages containing this shortcode and test if they accept and store malicious script payloads. Specific commands are not provided in the resources, but typical detection might include using web vulnerability scanners targeting stored XSS in WordPress plugins or manual inspection of pages using the shortcode. Additionally, checking the plugin version via WP-CLI can be done with: `wp plugin list --status=active` to identify if FluentAuth is installed and its version. No explicit commands for detection are provided in the resources. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the FluentAuth plugin to version 2.1.0 or later, where the vulnerability has been addressed by adding proper input sanitization, output escaping, nonce protections against CSRF, validation of redirect URLs, and other security improvements as detailed in the changeset. If updating is not immediately possible, restrict contributor-level access and above to trusted users only, and avoid using the `fluent_auth_reset_password` shortcode on publicly accessible pages. Applying WordPress security best practices such as limiting user permissions and monitoring for suspicious activity is also recommended. [2]