Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bnovotny User Registration Aide user-registration-aide allows Reflected XSS.This issue affects User Registration Aide: from n/a through <= 1.5.3.8.
Published: 2025-11-06
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The "User Registration Aide" WordPress plugin contains a reflected cross‑site scripting vulnerability in its user registration flow. An unauthenticated attacker can supply malicious script content that is reflected in the generated page, allowing the execution of arbitrary code in the victim’s browser. This could lead to session hijacking, credential theft, or defacement, as described by CWE‑79.

Affected Systems

The vulnerability affects the Bnovotny User Registration Aide plugin for WordPress, versions from the initial release up through 1.5.3.8.

Risk and Exploitability

The CVSS score of 7.1 indicates moderate severity; the EPSS score is below 1%, suggesting low likelihood of widespread exploitation, and the issue is not listed in CISA's KEV catalog. Exploitation requires the attacker to craft a malicious URL or form input that is reflected back into the page, typically via the plugin’s registration interface, making the attack possible from any visitor to the affected site. Given the low EPSS, the risk remains moderate but still significant for exposed WordPress installations.

Generated by OpenCVE AI on April 30, 2026 at 05:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the User Registration Aide plugin to a version newer than 1.5.3.8.
  • If immediate upgrade is not possible, disable or remove the plugin from the site.
  • Apply a web application firewall or enrich the page with a strict Content Security Policy to block reflected script execution.

Generated by OpenCVE AI on April 30, 2026 at 05:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Mon, 10 Nov 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 06 Nov 2025 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 06 Nov 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bnovotny User Registration Aide user-registration-aide allows Reflected XSS.This issue affects User Registration Aide: from n/a through <= 1.5.3.8.
Title WordPress User Registration Aide Plugin <= 1.5.3.8 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:21.649Z

Reserved: 2025-06-27T10:28:11.949Z

Link: CVE-2025-53239

cve-icon Vulnrichment

Updated: 2025-11-10T19:31:06.595Z

cve-icon NVD

Status : Deferred

Published: 2025-11-06T16:15:55.300

Modified: 2026-04-27T17:16:27.740

Link: CVE-2025-53239

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T05:30:06Z

Weaknesses