CVE-2025-13367
Stored XSS in WordPress User Registration & Membership Plugin
Publication date: 2025-12-15
Last updated on: 2025-12-15
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | user_registration | * |
| wordpress | wordpress | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the User Registration & Membership WordPress plugin up to version 4.4.6. It occurs because the plugin does not properly sanitize and escape input from multiple shortcode attributes. Authenticated users with contributor-level access or higher can inject malicious scripts into pages, which then execute whenever any user views those pages.
How can this vulnerability impact me? :
The vulnerability allows attackers with contributor-level access to inject arbitrary web scripts into pages. This can lead to malicious script execution in the browsers of users who visit the infected pages, potentially resulting in theft of user credentials, session hijacking, defacement, or other malicious actions that compromise user security and site integrity.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the User Registration & Membership plugin to version 4.4.7 or later, which includes sanitization and escaping of user inputs and shortcode attributes to prevent stored cross-site scripting (XSS). The update applies WordPress sanitization functions such as wp_kses_post(), esc_html(), and esc_attr() to sanitize GET parameters and shortcode attributes before output. Ensuring that only authenticated users with appropriate privileges can inject content and applying these security patches will reduce the risk of exploitation. [2, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources and context do not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
To detect this Stored Cross-Site Scripting (XSS) vulnerability in the User Registration & Membership WordPress plugin, you can look for pages or posts containing suspicious shortcode attributes that may include injected scripts. Since the vulnerability affects versions up to 4.4.6, first verify the plugin version installed. You can check the plugin version via WordPress admin or by running: `wp plugin list | grep user-registration`. To detect potential exploitation, you can search the database for shortcode attributes containing script tags or suspicious JavaScript code. For example, using a MySQL command to search the WordPress posts table: `SELECT ID, post_title FROM wp_posts WHERE post_content LIKE '%<script>%' OR post_content LIKE '%onerror=%' OR post_content LIKE '%javascript:%';`. Additionally, monitoring HTTP requests for unusual payloads in POST or GET parameters related to the plugin's shortcodes may help. However, no specific detection commands are provided in the resources.