Reflected Cross-Site Scripting Vulnerability in User Registration & Membership Plugin for WordPress
CVE-2025-1511

6.1MEDIUM

Key Information:

Vendor: WPeverest
Status: User Registration & Membership – Custom Registration Form, Login Form, And User Profile
Vendor: CVE Published:; 28 February 2025

Summary

The User Registration & Membership plugin for WordPress is susceptible to Reflected Cross-Site Scripting due to improper input validation and insufficient output encoding. This vulnerability can allow unauthenticated attackers to inject malicious web scripts into web pages. If a user unwittingly clicks on a specially crafted link, it can lead to harmful scripts being executed in their browser session. Site administrators using versions up to 4.0.4 should implement immediate security measures to mitigate this risk.

Affected Version(s)

User Registration & Membership – Custom Registration Form, Login Form, and User Profile * <= 4.0.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/user-registrat...

https://plugins.trac.wordpress.org/changeset/3246826/user...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Feb 28, 2025
Vulnerability Reserved
Feb 20, 2025

Credit

Dale Mavers