Skip to main content

User Registration Aide CVE-2025-53239

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-11-06 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

6
Analysis Updated
Apr 24, 2026 - 00:54 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:43 vuln.today
cvss_changed
Severity Changed
Apr 23, 2026 - 15:43 NVD
MEDIUM HIGH
CVSS changed
Apr 23, 2026 - 15:43 NVD
6.1 (MEDIUM) 7.1 (HIGH)
Analysis Generated
Mar 28, 2026 - 19:20 vuln.today
CVE Published
Nov 06, 2025 - 16:15 nvd
MEDIUM 6.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bnovotny User Registration Aide user-registration-aide allows Reflected XSS.This issue affects User Registration Aide: from n/a through <= 1.5.3.8.

AnalysisAI

Reflected cross-site scripting in User Registration Aide WordPress plugin versions through 1.5.3.8 allows remote attackers to execute arbitrary JavaScript in victims' browsers via crafted URLs. Users must click a malicious link to trigger the attack. EPSS score of 0.05% (17th percentile) indicates very low probability of exploitation in the wild, and no active exploitation or public exploits are confirmed. Patchstack security team identified this flaw, which carries CVSS 7.1 with changed scope, meaning successful exploitation impacts resources beyond the vulnerable component.

Technical ContextAI

This is a reflected XSS vulnerability (CWE-79) in the User Registration Aide WordPress plugin. The flaw stems from improper neutralization of user-supplied input during web page generation - the plugin fails to adequately sanitize or encode attacker-controlled data before rendering it in HTTP responses. WordPress plugins that handle user registration forms often accept parameters via GET or POST requests (email addresses, usernames, custom fields) and reflect them in confirmation pages, error messages, or form redisplay logic. When these parameters are echoed back to the browser without HTML entity encoding or context-appropriate escaping, attackers can inject JavaScript payloads that execute in the security context of the WordPress site. The 'reflected' classification means the malicious script is not permanently stored in the application database but must be delivered to victims via crafted URLs or form submissions, typically through phishing or social engineering vectors.

Affected ProductsAI

WordPress plugin User Registration Aide by bnovotny, all versions from initial release through version 1.5.3.8. Exact CPE not provided in source data. Sites running this plugin are vulnerable if the registration aide functionality is publicly accessible. Vendor advisory available at Patchstack database: https://patchstack.com/database/Wordpress/Plugin/user-registration-aide/vulnerability/wordpress-user-registration-aide-plugin-1-5-3-8-cross-site-scripting-xss-vulnerability

RemediationAI

Upgrade User Registration Aide to version 1.5.3.9 or later if available (patch status not independently confirmed - verify current version in WordPress plugin repository). Remove or disable the plugin if registration aide functionality is not actively required for business operations. If plugin must remain active pending patch, implement compensating controls: restrict access to registration aide pages using WordPress role-based access controls or .htaccess IP whitelisting to limit exposure to trusted networks only; deploy web application firewall (WAF) rules to detect and block common XSS patterns in query parameters and form fields (note: may cause false positives with legitimate special characters in user input); enable Content Security Policy headers via security plugin or .htaccess to restrict inline script execution (may break legitimate plugin JavaScript if not carefully tuned). Review Patchstack advisory for additional vendor-specific guidance: https://patchstack.com/database/Wordpress/Plugin/user-registration-aide/vulnerability/wordpress-user-registration-aide-plugin-1-5-3-8-cross-site-scripting-xss-vulnerability

Share

CVE-2025-53239 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy