CVE-2025-13910 Overview
The WP-WebAuthn plugin for WordPress contains an Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability in the wwa_auth AJAX endpoint affecting all versions up to and including 1.3.4. This security flaw stems from insufficient input sanitization and output escaping on user-supplied attributes that are logged by the plugin. An unauthenticated attacker can exploit this vulnerability to inject arbitrary web scripts into pages that execute whenever an administrator or user accesses the plugin's log page, provided that the logging option is enabled in the plugin settings.
Critical Impact
Unauthenticated attackers can inject malicious scripts that execute in the context of authenticated administrators viewing the plugin's log page, potentially leading to session hijacking, privilege escalation, or further compromise of the WordPress installation.
Affected Products
- WP-WebAuthn plugin for WordPress versions up to and including 1.3.4
- WordPress installations with the WP-WebAuthn plugin and logging enabled
- Any site using the vulnerable wwa_auth AJAX endpoint
Discovery Timeline
- 2026-03-21 - CVE CVE-2025-13910 published to NVD
- 2026-03-23 - Last updated in NVD database
Technical Details for CVE-2025-13910
Vulnerability Analysis
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting (XSS). The Stored XSS variant is particularly dangerous because the malicious payload persists in the application's database and is served to users upon accessing affected pages.
The vulnerability exists within the WP-WebAuthn plugin's authentication logging mechanism. When the plugin's logging feature is enabled, user-supplied data passed through the wwa_auth AJAX endpoint is stored without proper sanitization. This data is subsequently rendered on the plugin's administrative log page without adequate output escaping, allowing the injected scripts to execute in the browser context of any user viewing the logs.
The attack requires no authentication to inject the malicious payload, making it accessible to any internet-facing attacker. However, the impact is contingent upon the logging feature being enabled and an authenticated user (typically an administrator) viewing the log page where the injected content is displayed.
Root Cause
The root cause of this vulnerability lies in the failure to implement proper input validation and output encoding at two critical points in the application flow:
Input Sanitization Failure: The wwa_auth AJAX endpoint in wwa-ajax.php accepts user-controlled input without adequately sanitizing or validating the data before storing it in the plugin's log.
Output Escaping Failure: The administrative log display functionality in wwa-admin-content.php renders the stored log data without applying proper HTML entity encoding or escaping, allowing previously stored malicious scripts to execute.
WordPress provides built-in functions such as esc_html(), esc_attr(), and wp_kses() specifically designed to prevent XSS vulnerabilities. The failure to utilize these functions when handling user input destined for display in the browser enables this attack vector.
Attack Vector
The attack is executed over the network and requires no prior authentication to the target system. An attacker can craft a malicious request to the wwa_auth AJAX endpoint containing JavaScript payloads embedded in parameter values that the plugin logs.
The attack flow proceeds as follows:
- The attacker identifies a WordPress installation running a vulnerable version of WP-WebAuthn with logging enabled
- The attacker sends a crafted HTTP request to the wwa_auth AJAX endpoint with malicious JavaScript in loggable parameters
- The plugin stores the malicious content in its log without proper sanitization
- When an administrator accesses the plugin's log page in the WordPress admin panel, the stored JavaScript executes in their browser
- The malicious script can then perform actions as the authenticated administrator, steal session cookies, or redirect to phishing pages
For detailed technical analysis, refer to the vulnerable code sections documented in the WordPress WebAuthn Admin Code and WordPress WebAuthn Ajax Code.
Detection Methods for CVE-2025-13910
Indicators of Compromise
- Unusual or unexpected JavaScript code present in WP-WebAuthn plugin log entries
- Suspicious AJAX requests to the wwa_auth endpoint containing HTML tags or JavaScript syntax
- Administrator reports of unexpected behavior or redirects when viewing the plugin's log page
- Browser console errors indicating script execution from unexpected sources
Detection Strategies
- Monitor web server access logs for requests to admin-ajax.php with action parameter wwa_auth containing suspicious payloads
- Implement Web Application Firewall (WAF) rules to detect and block common XSS patterns in requests to WordPress AJAX endpoints
- Regularly audit the WP-WebAuthn plugin log database entries for stored XSS payloads using pattern matching for <script>, onerror, onload, and similar HTML event handlers
- Deploy Content Security Policy (CSP) headers to detect and report inline script execution attempts
Monitoring Recommendations
- Enable browser Content Security Policy violation reporting to capture XSS exploitation attempts
- Configure intrusion detection systems to alert on HTTP requests containing URL-encoded script tags targeting WordPress AJAX endpoints
- Implement database-level monitoring for the WP-WebAuthn log table to detect insertion of records containing HTML or JavaScript syntax
- Review WordPress admin access logs for unusual activity patterns following log page views
How to Mitigate CVE-2025-13910
Immediate Actions Required
- Update the WP-WebAuthn plugin to the latest patched version immediately
- Temporarily disable the logging feature in WP-WebAuthn plugin settings until the update is applied
- Review existing log entries for any evidence of malicious script injection and purge compromised records
- Consider temporarily deactivating the plugin if an immediate update is not possible
Patch Information
Users should update the WP-WebAuthn plugin to the latest available version that addresses this vulnerability. The patch implements proper input sanitization when logging user data and applies appropriate output escaping when rendering log entries on the administrative interface.
For detailed vulnerability information and patch verification, consult the Wordfence Vulnerability Report.
Workarounds
- Disable the WP-WebAuthn plugin logging feature through the plugin settings panel until the patch can be applied
- Restrict administrative access to the plugin's log page to essential personnel only
- Implement a Web Application Firewall with rules to filter XSS payloads in requests to WordPress AJAX endpoints
- Apply Content Security Policy headers to prevent inline script execution as a defense-in-depth measure
# Add CSP header to Apache configuration as defense-in-depth
# Add to .htaccess or Apache virtual host configuration
Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';"
# For Nginx, add to server block configuration
# add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';" always;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
