A high-severity vulnerability exists in the Simple User Registration plugin for WordPress, identified as CVE-2025-12160. This flaw allows an attacker to inject and store malicious code on a website, which can execute in the browsers of privileged users. Successful exploitation could lead to administrator account takeover, theft of sensitive data, or complete website compromise.

The vulnerability is a Stored Cross-Site Scripting (XSS) flaw. An attacker can inject a malicious script (e.g., JavaScript) into the 'wpr_admin_msg' parameter. This malicious input is not properly sanitized and is stored in the website's database. When an administrator or other privileged user views the page containing this stored data, the malicious script executes within their browser, inheriting their permissions and session context. This could allow the attacker to steal session cookies, perform administrative actions on behalf of the victim, or redirect the user to a malicious website.

This vulnerability is rated as High severity with a CVSS score of 7.2. A successful exploit could have a significant business impact, including the compromise of administrator accounts, leading to a full site takeover. Potential consequences include theft of sensitive customer or user data, website defacement causing reputational damage, and using the compromised website to distribute malware or launch phishing attacks against customers. This poses a direct risk to data confidentiality, integrity, and availability.

Immediate Action: Update the Simple User Registration plugin to the latest available version that addresses this vulnerability. If the plugin is no longer essential for business operations, it should be deactivated and uninstalled immediately to eliminate the attack surface.

Proactive Monitoring: Monitor web server and Web Application Firewall (WAF) logs for suspicious POST requests to pages utilizing the 'wpr_admin_msg' parameter, specifically looking for payloads containing <script>, onerror, or other XSS-related HTML tags and JavaScript events. Regularly scan the website for unauthorized code modifications or unexpected administrative changes.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with a robust ruleset to detect and block XSS attacks. Enforce a strict Content Security Policy (CSP) on the website to prevent the execution of untrusted inline scripts.

Public Exploit Available: false

Given the High severity rating (CVSS 7.2) and the ease of exploitation for XSS vulnerabilities, it is strongly recommended that organizations identify all WordPress instances using the affected "Simple User Registration" plugin and apply the vendor-supplied patch immediately. Prioritize patching on all internet-facing systems. After patching, verify that the update was successful and the site remains fully functional.