CVE-2025-13861

Name of the Vulnerable Software and Affected Versions HTML Forms – Simple WordPress Forms Plugin for WordPress versions prior to 1.6.1

Description The software is susceptible to unauthenticated stored cross-site scripting. Insufficient sanitization of fabricated file upload field metadata before display in the WordPress admin dashboard allows unauthenticated attackers to inject arbitrary web scripts. These scripts execute when an administrator accesses the form submissions page.

Recommendations Update to version 1.6.1 or later.