User Registration <= 5.1.5 - Reflected Cross-Site Scripting
Description
The User Registration plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 5.1.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NTechnical Details
<=5.1.5What Changed in the Fix
Changes introduced in v5.1.6
Source Code
WordPress.org SVNThis research plan outlines the steps to identify and exploit the Reflected Cross-Site Scripting (XSS) vulnerability (CVE-2026-42652) in the **User Registration** plugin (<= 5.1.5). ### 1. Vulnerability Summary The **User Registration** plugin is vulnerable to Reflected XSS due to the lack of prope…
Show full research plan
This research plan outlines the steps to identify and exploit the Reflected Cross-Site Scripting (XSS) vulnerability (CVE-2026-42652) in the User Registration plugin (<= 5.1.5).
1. Vulnerability Summary
The User Registration plugin is vulnerable to Reflected XSS due to the lack of proper sanitization and escaping of URL parameters reflected in the frontend and admin pages. Specifically, the plugin uses parameters like ur_message, ur_error, or redirect_to to display notices or pre-populate hidden fields. If these parameters are echoed directly into the HTML without functions like esc_html() or esc_attr(), an attacker can inject arbitrary JavaScript.
2. Attack Vector Analysis
- Target Endpoint: Any page containing the
[user_registration_form]shortcode or the plugin's settings pages in the admin dashboard. - Vulnerable Parameters:
ur_message,ur_error,redirect_to, anduser_registration_email. - Authentication: None (PR:N) for frontend reflection; Subscriber/Contributor for specific profile pages; Administrator for settings pages.
- Mechanism: An unauthenticated attacker crafts a malicious URL containing a JavaScript payload in a reflected parameter and tricks a logged-in user (or any visitor) into clicking it.
3. Code Flow
- Entry Point: The user visits a URL such as `http://wp
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.