Stored Cross-Site Scripting Vulnerability in FluentAuth Plugin for WordPress
CVE-2025-13728

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Fluentauth – The Ultimate Authorization & Security Plugin For WordPress
Vendor: CVE Published:; 15 December 2025

What is CVE-2025-13728?

The FluentAuth plugin for WordPress is susceptible to Stored Cross-Site Scripting due to inadequate input sanitization and output escaping in the fluent_auth_reset_password shortcode. This vulnerability affects all versions up to and including 2.0.3 and allows authenticated users with contributor level access or above to inject malicious scripts into pages. These scripts are executed when any user accesses the manipulated page, potentially compromising their account or data.

Affected Version(s)

FluentAuth – The Ultimate Authorization & Security Plugin for WordPress * <= 2.0.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3409232/flue...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Dec 15, 2025
Vulnerability Reserved
Nov 25, 2025

Credit

Muhammad Yudha - DJ

JSON