Stored Cross‑Site Scripting (CWE‑79) is present in the WordPress User Registration plugin version 4.0.3 and earlier. The flaw allows attackers to inject arbitrary script through the registration form or other input fields that are not properly sanitized before being rendered on a page. When a victim visits a page containing the stored payload, the script executes in the victim's browser, potentially enabling session hijacking, theft of credentials, or delivery of additional malware. This vulnerability affects only the client side and does not provide direct code execution on the server.

The issue impacts the WordPress User Registration plugin supplied by Wpeverest, in both free and pro editions. All versions from the earliest release up to and including 4.0.3 are vulnerable. The affected components are the user‑registration plugin instances deployed on WordPress sites that use these versions. No specific configurations are known to mitigate the problem apart from updating the plugin.

The CVSS score of 5.9 indicates a moderate impact, while the EPSS score of less than 1% suggests low current exploitation likelihood. The vulnerability is not listed in the CISA KEV catalog. Exploitation occurs when an attacker submits malicious input to the registration form, which is then stored and later rendered to any user who views the affected page. Because the flaw operates through normal user interaction with the site, an attacker can target any WordPress installation that has the vulnerable plugin installed and has a publicly accessible user registration component.