CVE-2026-42652

User Registration <= 5.1.5 - Reflected Cross-Site Scripting

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.1
CVSS Score
6.1
CVSS Score
medium
Severity
5.1.6
Patched in
29d
Time to patch

Description

The User Registration plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 5.1.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=5.1.5
PublishedApril 9, 2026
Last updatedMay 7, 2026
Affected pluginuser-registration

What Changed in the Fix

Changes introduced in v5.1.6

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

This research plan outlines the steps to identify and exploit the Reflected Cross-Site Scripting (XSS) vulnerability (CVE-2026-42652) in the **User Registration** plugin (<= 5.1.5). ### 1. Vulnerability Summary The **User Registration** plugin is vulnerable to Reflected XSS due to the lack of prope…

Show full research plan

This research plan outlines the steps to identify and exploit the Reflected Cross-Site Scripting (XSS) vulnerability (CVE-2026-42652) in the User Registration plugin (<= 5.1.5).

1. Vulnerability Summary

The User Registration plugin is vulnerable to Reflected XSS due to the lack of proper sanitization and escaping of URL parameters reflected in the frontend and admin pages. Specifically, the plugin uses parameters like ur_message, ur_error, or redirect_to to display notices or pre-populate hidden fields. If these parameters are echoed directly into the HTML without functions like esc_html() or esc_attr(), an attacker can inject arbitrary JavaScript.

2. Attack Vector Analysis

  • Target Endpoint: Any page containing the [user_registration_form] shortcode or the plugin's settings pages in the admin dashboard.
  • Vulnerable Parameters: ur_message, ur_error, redirect_to, and user_registration_email.
  • Authentication: None (PR:N) for frontend reflection; Subscriber/Contributor for specific profile pages; Administrator for settings pages.
  • Mechanism: An unauthenticated attacker crafts a malicious URL containing a JavaScript payload in a reflected parameter and tricks a logged-in user (or any visitor) into clicking it.

3. Code Flow

  1. Entry Point: The user visits a URL such as `http://wp

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.