The Simple User Registration WordPress plugin contains a stored cross‑site scripting flaw that allows a malicious user to submit arbitrary JavaScript through the wpr_admin_msg parameter. Because the input is stored without proper sanitization or escaping, the injected script is later rendered in the browser of any visitor who views a page that displays the message. Falling under CWE‑79, this flaw enables an attacker to run code in the context of the site.

The vulnerability affects the Simple User Registration plugin released by nmedia, in every version up to and including 6.6. Any WordPress installation that has installed one of those releases is vulnerable unless the plugin has been upgraded to a fixed version.

With a CVSS score of 7.2 the flaw is of moderate severity, and the EPSS score of less than 1 % indicates a low probability of exploitation. An unauthenticated attacker can inject arbitrary JavaScript via the wpr_admin_msg parameter, which is stored without sanitization or escaping and later rendered when a page displaying the message is viewed. Based on the description, it is inferred that the execution of the injected JavaScript could compromise the confidentiality, integrity or availability of site visitors. The vulnerability is not listed in the CISA KEV catalog, but based on the description it is inferred that it can affect all visitors to an affected site, making it a significant risk.