CVE-2025-13746
Stored XSS in ForumWP Plugin via User Display Name
Publication date: 2026-01-06
Last updated on: 2026-01-06
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| forumwp | forumwp | to 2.1.6 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the ForumWP WordPress plugin (up to version 2.1.6) is a Stored Cross-Site Scripting (XSS) issue. It occurs because the plugin does not properly sanitize or escape the User's Display Name input. This allows authenticated users with Subscriber-level access or higher to inject malicious scripts into pages. These scripts then execute whenever any user views the affected page, potentially compromising user security.
How can this vulnerability impact me? :
This vulnerability can allow attackers with subscriber-level access to inject arbitrary web scripts into forum pages. When other users visit these pages, the malicious scripts execute in their browsers. This can lead to theft of user credentials, session hijacking, defacement, or other malicious actions affecting users and site integrity.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves Stored Cross-Site Scripting (XSS) via the User's Display Name in the ForumWP plugin for WordPress. Detection would involve identifying if any user display names contain malicious scripts that get executed when pages are loaded. Since the vulnerability is in the plugin's handling of user display names, you can detect it by inspecting user display names for suspicious script tags or payloads. There are no specific commands provided in the resources, but general approaches include: 1. Querying the WordPress database for user display names containing script tags or suspicious HTML. For example, using SQL: `SELECT ID, display_name FROM wp_users WHERE display_name LIKE '%<script>%' OR display_name LIKE '%<img%' OR display_name LIKE '%onerror=%';` 2. Using web application scanners or XSS detection tools to crawl forum pages and detect script injection. 3. Reviewing user-generated content and profiles for injected scripts. Since no explicit commands or detection scripts are provided in the resources, these general methods apply.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1. Update the ForumWP plugin to a version later than 2.1.6 where the vulnerability is fixed. 2. Restrict or review user permissions to limit Subscriber-level users from injecting malicious scripts, if updating is not immediately possible. 3. Manually sanitize or remove suspicious user display names containing scripts from the database. 4. Implement Web Application Firewall (WAF) rules to block common XSS payloads targeting user display names. 5. Educate users and administrators about the risk and monitor for suspicious activity. Since the vulnerability arises from insufficient input sanitization and output escaping in user display names, updating the plugin is the most effective immediate step.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources and context do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.