Cross-site Scripting Vulnerability in WPFront User Role Editor by Syam Mohan
CVE-2025-60102

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: WPfront User Role Editor
Vendor: CVE Published:; 26 September 2025

What is CVE-2025-60102?

The WPFront User Role Editor plugin for WordPress, developed by Syam Mohan, is susceptible to a stored Cross-site Scripting (XSS) vulnerability due to improper neutralization of input during web page generation. This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to significant security risks for WordPress sites. Affected versions include all prior to 4.2.3, highlighting the importance of updating and securing your WordPress environment.

Affected Version(s)

WPFront User Role Editor <= 4.2.3

References

https://patchstack.com/database/wordpress/plugin/wpfront-...

vdb-entry

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 26, 2025
Vulnerability Reserved
Sep 25, 2025

Credit

zaim (Patchstack Alliance)

JSON