Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Metagauss RegistrationMagic custom-registration-form-builder-with-submission-manager allows Reflected XSS.This issue affects RegistrationMagic: from n/a through <= 6.0.3.3.
Published: 2025-01-31
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of input during web page generation that allows a reflected cross‑site scripting attack. An attacker can supply malicious input via a request parameter and have it included in the response without proper encoding, enabling the execution of arbitrary JavaScript in a victim’s browser. This can facilitate session hijacking, credential theft, defacement or malicious redirection from the perspective of the user who visits the crafted URL.

Affected Systems

The affected product is Metagauss RegistrationMagic, a WordPress plugin. Versions from the first release through 6.0.3.3 are vulnerable. Any WordPress site that has this plugin installed within that version range is at risk.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity. The EPSS score of less than 1% shows a very low probability of exploitation at the time of analysis, and the vulnerability is not listed in CISA’s KEV catalog. Nonetheless, the attack vector is likely remote via crafted HTTP requests, and an attacker only needs to lure a user to a malicious URL. The vulnerability is technically easy to exploit once the user clicks the link, so sites should consider it a high operational risk.

Generated by OpenCVE AI on May 1, 2026 at 17:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the RegistrationMagic plugin to version 6.0.4 or later, the fix that removes the reflected XSS vector.
  • If an update is not immediately possible, whitelist only trusted sources in any form handling and enforce strict input validation to encode user supplied data before rendering.
  • Implement browser‑side defenses such as Content Security Policy headers or XSS protection directives to limit the impact of any reflected payload.

Generated by OpenCVE AI on May 1, 2026 at 17:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3880 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Metagauss User Registration Forms RegistrationMagic allows Reflected XSS. This issue affects RegistrationMagic: from n/a through 6.0.3.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Metagauss User Registration Forms RegistrationMagic allows Reflected XSS. This issue affects RegistrationMagic: from n/a through 6.0.3.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Metagauss RegistrationMagic custom-registration-form-builder-with-submission-manager allows Reflected XSS.This issue affects RegistrationMagic: from n/a through <= 6.0.3.3.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

 cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00029}

 epss

{'score': 0.00037}

Tue, 04 Feb 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Metagauss
Metagauss registrationmagic
CPEs cpe:2.3:a:metagauss:registrationmagic:*:*:*:*:*:wordpress:*:*
Vendors & Products Metagauss
Metagauss registrationmagic

Fri, 31 Jan 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 31 Jan 2025 08:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Metagauss User Registration Forms RegistrationMagic allows Reflected XSS. This issue affects RegistrationMagic: from n/a through 6.0.3.3.
Title WordPress RegistrationMagic Plugin <= 6.0.3.3 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Metagauss Registrationmagic
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:31.968Z

Reserved: 2025-01-23T14:52:14.007Z

Link: CVE-2025-24686

cve-icon Vulnrichment

Updated: 2025-01-31T15:31:00.981Z

cve-icon NVD

Status : Modified

Published: 2025-01-31T09:15:11.340

Modified: 2026-04-23T15:25:17.180

Link: CVE-2025-24686

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T18:00:09Z

Weaknesses