CVE 7.2 HIGH

Simple User Registration <= 6.6 - Unauthenticated Stored Cross-Site Scripting_CVE-2025-12160

November 21, 2025 invoker category_cve
7.2 / 10
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Description

The Simple User Registration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpr_admin_msg' parameter in all versions up to, and including, 6.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Basic Information

ID CVE-2025-12160
Source Wordfence
Published Nov 21, 2025 at 09:27

Affected Product

Vendor nmedia
Product Simple User Registration
Version *
Affected Versions nmedia Simple User Registration *

CWE Classification

CWE-79

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.