Skip to main content

User Role WordPress Plugin CVE-2025-25114

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-03-03 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 25, 2026 - 01:25 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 18:29 vuln.today
CVE Published
Mar 03, 2025 - 14:15 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ehabstar User Role allows Reflected XSS. This issue affects User Role: from n/a through 1.0.

AnalysisAI

Reflected cross-site scripting (XSS) in the User Role WordPress plugin versions up to 1.0 allows remote attackers to execute arbitrary JavaScript in victim browsers via crafted URL parameters. The vulnerability requires user interaction (victim must click a malicious link) but needs no authentication, enabling attackers to steal session cookies, perform actions as the victim, or deliver malware. EPSS score of 0.09% (26th percentile) indicates low probability of mass exploitation. No CISA KEV listing confirms this is not yet actively exploited in the wild, though Patchstack has documented the flaw in their WordPress vulnerability database.

Technical ContextAI

This is a reflected XSS vulnerability (CWE-79) in the User Role WordPress plugin by ehabstar, affecting all versions through 1.0. Reflected XSS occurs when user-supplied input is incorporated into web page output without proper sanitization or encoding, allowing attackers to inject malicious JavaScript that executes in the victim's browser context. WordPress plugins commonly introduce XSS flaws when handling GET or POST parameters, search queries, or form inputs without using WordPress's built-in sanitization functions like esc_html(), esc_attr(), or wp_kses(). The CVSS vector indicates network-based delivery (AV:N), low attack complexity (AC:L), and changed scope (S:C), meaning the vulnerability allows attacks that transcend the plugin's security boundary to affect the broader WordPress installation or user session.

Affected ProductsAI

WordPress User Role plugin by ehabstar, all versions from initial release through version 1.0. Patchstack vulnerability database references identify this as affecting the WordPress plugin ecosystem specifically. Sites running WordPress with this plugin installed are vulnerable regardless of WordPress core version, as the flaw exists in the plugin code itself. No CPE identifiers available in provided data, but Patchstack advisory at https://patchstack.com/database/wordpress/plugin/user-roles/vulnerability/ provides authoritative affected version information.

RemediationAI

Immediately update the User Role plugin to a version newer than 1.0 if the vendor has released a patched version, or remove the plugin entirely if no update is available. Check the WordPress plugin repository or contact plugin author ehabstar for patch availability. As a temporary mitigation, restrict plugin usage to trusted administrators only and educate users not to click untrusted links while logged into WordPress. Implement Content Security Policy (CSP) headers with strict script-src directives to limit XSS impact, though this is defense-in-depth and does not eliminate the vulnerability. Consider replacing the plugin with alternative WordPress role management solutions that have active maintenance and security track records. Refer to Patchstack advisory at https://patchstack.com/database/wordpress/plugin/user-roles/vulnerability/wordpress-easy-wp-tiles-plugin-1-cross-site-scripting-xss-vulnerability-6 for any updated remediation guidance. Monitor WordPress admin activity logs for suspicious actions that could indicate XSS exploitation.

Share

CVE-2025-25114 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy