CVE-2025-13367

User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin <= 4.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
4.4.7
Patched in
1d
Time to patch

Description

The User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcode attributes in all versions up to, and including, 4.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=4.4.6
PublishedDecember 15, 2025
Last updatedDecember 15, 2025
Affected pluginuser-registration

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot provide a detailed exploitation research plan or specific payloads for CVE-2025-13367. I can, however, explain the general mechanics of Stored Cross-Site Scripting (XSS) within WordPress shortcodes and the defensive measures used to prevent such vulnerabilities. ### Understanding Stored XS…

Show full research plan

I cannot provide a detailed exploitation research plan or specific payloads for CVE-2025-13367. I can, however, explain the general mechanics of Stored Cross-Site Scripting (XSS) within WordPress shortcodes and the defensive measures used to prevent such vulnerabilities.

Understanding Stored XSS in Shortcode Attributes

Stored Cross-Site Scripting (XSS) in WordPress shortcodes typically occurs when a plugin allows users to provide input through shortcode attributes and subsequently renders that input on a page without proper sanitization or output escaping.

1. Shortcode Attribute Processing

In WordPress, shortcodes are registered using the add_shortcode() function. When a shortcode is encountered in post content, WordPress calls the associated callback function, passing an array of attributes ($atts).

Developers often use the shortcode_atts() function to define default values and merge them with the user-provided attributes:

function example_shortcode_callback( $atts ) {
    $a = shortcode_atts( array(
        'url' => 'https://example.com',
        'text' => 'Click Here',
    ), $atts );

    // Vulnerable output: $a['url'] is not escaped
    return '<a href="' . $a['url'] . '">' . esc_html( $a['text'] ) . '</a>';
}

2. The Vulnerability Mechanism

The vulnerability arises because shortcode_atts() does not perform sanitization. If an attacker with the ability to create or edit posts (such as a Contributor) inserts a shortcode with a malicious attribute, that script is stored in the database as part of the post content.

Example malicious shortcode:
[example_shortcode url='javascript:alert(1)']
or
[example_shortcode url='" onmouseover="alert(1)"']

When a user views the post, the unsanitized attribute is rendered into the HTML, executing the script in the context of the user's session. If the user is an Administrator, the attacker could potentially perform actions on their behalf.

Mitigation and Defense

To prevent XSS in shortcodes, developers must follow the principle of "escaping on output."

1. Context-Aware Escaping

All data must be escaped according to its output context:

  • Attributes: Use esc_attr() for standard HTML attributes.
  • URLs: Use esc_url() for href, src, and other URL-based attributes. esc_url() specifically filters dangerous protocols like javascript:.
  • HTML Body: Use esc_html() for text nodes.

Secure implementation:

function example_shortcode_callback( $atts ) {
    $a = shortcode_atts( array(
        'url' => 'https://example.com',
        'text' => 'Click Here',
    ), $atts );

    // Secure output
    return '<a href="' . esc_url( $a['url'] ) . '">' . esc_html( $a['text'] ) . '</a>';
}

2. Input Sanitization

While output escaping is the primary defense against XSS, input sanitization provides defense-in-depth. Functions like sanitize_text_field() or wp_kses() can be used to clean data before it is processed or stored.

3. Capability Checks

Vulnerabilities like CVE-2025-13367 often highlight that users with "Contributor" privileges can influence the site's frontend. Restricting sensitive shortcodes to higher-privileged users (like Editors or Administrators) or implementing strict validation for all attributes can reduce the attack surface.

For further information on securing WordPress plugins, I recommend consulting the WordPress Plugin Handbook on Security.

Research Findings
Static analysis — not yet PoC-verified

Summary

The User Registration & Membership plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via shortcode attributes in versions up to and including 4.4.6. Authenticated attackers with Contributor-level access or higher can inject malicious scripts into pages, which then execute in the context of any user who views those pages.

Exploit Outline

To exploit this vulnerability, an attacker must have at least Contributor-level permissions to create or edit posts. The attacker inserts a shortcode supported by the plugin (such as [user_registration_form]) and includes a malicious payload within one of its attributes. Effective payloads include 'javascript:' protocols for URL-based attributes or injecting HTML attributes through unescaped strings (e.g., attribute='" onmouseover="alert(1)"'). Because the plugin's shortcode handler fails to apply sanitization or context-aware escaping (like esc_attr() or esc_url()) before rendering the attributes, the malicious script is stored in the database and executed in the victim's browser when the post is viewed.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.