User Role WordPress Plugin CVE-2025-25114
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ehabstar User Role allows Reflected XSS. This issue affects User Role: from n/a through 1.0.
AnalysisAI
Reflected cross-site scripting (XSS) in the User Role WordPress plugin versions up to 1.0 allows remote attackers to execute arbitrary JavaScript in victim browsers via crafted URL parameters. The vulnerability requires user interaction (victim must click a malicious link) but needs no authentication, enabling attackers to steal session cookies, perform actions as the victim, or deliver malware. EPSS score of 0.09% (26th percentile) indicates low probability of mass exploitation. No CISA KEV listing confirms this is not yet actively exploited in the wild, though Patchstack has documented the flaw in their WordPress vulnerability database.
Technical ContextAI
This is a reflected XSS vulnerability (CWE-79) in the User Role WordPress plugin by ehabstar, affecting all versions through 1.0. Reflected XSS occurs when user-supplied input is incorporated into web page output without proper sanitization or encoding, allowing attackers to inject malicious JavaScript that executes in the victim's browser context. WordPress plugins commonly introduce XSS flaws when handling GET or POST parameters, search queries, or form inputs without using WordPress's built-in sanitization functions like esc_html(), esc_attr(), or wp_kses(). The CVSS vector indicates network-based delivery (AV:N), low attack complexity (AC:L), and changed scope (S:C), meaning the vulnerability allows attacks that transcend the plugin's security boundary to affect the broader WordPress installation or user session.
Affected ProductsAI
WordPress User Role plugin by ehabstar, all versions from initial release through version 1.0. Patchstack vulnerability database references identify this as affecting the WordPress plugin ecosystem specifically. Sites running WordPress with this plugin installed are vulnerable regardless of WordPress core version, as the flaw exists in the plugin code itself. No CPE identifiers available in provided data, but Patchstack advisory at https://patchstack.com/database/wordpress/plugin/user-roles/vulnerability/ provides authoritative affected version information.
RemediationAI
Immediately update the User Role plugin to a version newer than 1.0 if the vendor has released a patched version, or remove the plugin entirely if no update is available. Check the WordPress plugin repository or contact plugin author ehabstar for patch availability. As a temporary mitigation, restrict plugin usage to trusted administrators only and educate users not to click untrusted links while logged into WordPress. Implement Content Security Policy (CSP) headers with strict script-src directives to limit XSS impact, though this is defense-in-depth and does not eliminate the vulnerability. Consider replacing the plugin with alternative WordPress role management solutions that have active maintenance and security track records. Refer to Patchstack advisory at https://patchstack.com/database/wordpress/plugin/user-roles/vulnerability/wordpress-easy-wp-tiles-plugin-1-cross-site-scripting-xss-vulnerability-6 for any updated remediation guidance. Monitor WordPress admin activity logs for suspicious actions that could indicate XSS exploitation.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today