Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rustaurius Front End Users front-end-only-users allows Stored XSS.This issue affects Front End Users: from n/a through <= 3.2.35.
Published: 2025-09-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stored XSS flaw arising from improper neutralization of user input during web page rendering in the Rustaurius Front End Users plugin. An attacker who can inject malicious data into the plugin’s data store can have that input displayed as an active script to any user who views the affected page. Because the payload is stored, the compromise can affect all users who access the vulnerable page, potentially allowing cookie theft, session hijacking, or defacement of the site.

Affected Systems

The flaw affects the WordPress plugin "Front End Users" (Rustaurius) for all installed versions up to and including 3.2.35. The plugin is commonly used to manage front‑end user access on WordPress sites.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity, while the EPSS score displays a very low likelihood of exploitation in the wild (<1%). The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by creating or modifying content via the plugin’s front‑end interface, which stores the malicious script and later injects it into the generated HTML. The exploit requires that the vulnerable plugin is installed and a page that renders the stored input is accessed by a user with browser execution capability.

Generated by OpenCVE AI on April 30, 2026 at 06:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Front End Users plugin to version 3.2.36 or later, which contains the platform‑level input sanitization fix.
  • If immediate update is not possible, disable or remove any front‑end content submission features that allow users to store data through the plugin, or restrict access to the pages that render stored input.
  • After applying the update or disabling the submission features, conduct an XSS scan (e.g., using a web application scanner) to confirm that no malicious scripts are stored or rendered.

Generated by OpenCVE AI on April 30, 2026 at 06:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30568 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rustaurius Front End Users allows Stored XSS. This issue affects Front End Users: from n/a through 3.2.33.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rustaurius Front End Users allows Stored XSS. This issue affects Front End Users: from n/a through 3.2.33. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rustaurius Front End Users front-end-only-users allows Stored XSS.This issue affects Front End Users: from n/a through <= 3.2.35.
Title WordPress Front End Users Plugin <= 3.2.33 - Cross Site Scripting (XSS) Vulnerability WordPress Front End Users plugin <= 3.2.35 - Cross Site Scripting (XSS) vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 23 Sep 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 23 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Mon, 22 Sep 2025 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rustaurius Front End Users allows Stored XSS. This issue affects Front End Users: from n/a through 3.2.33.
Title WordPress Front End Users Plugin <= 3.2.33 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:55:53.089Z

Reserved: 2025-08-27T16:19:35.849Z

Link: CVE-2025-58235

cve-icon Vulnrichment

Updated: 2025-09-23T15:56:49.982Z

cve-icon NVD

Status : Deferred

Published: 2025-09-22T19:16:08.797

Modified: 2026-04-23T15:33:21.350

Link: CVE-2025-58235

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T06:45:16Z

Weaknesses