Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Syam Mohan WPFront User Role Editor wpfront-user-role-editor allows Stored XSS.This issue affects WPFront User Role Editor: from n/a through <= 4.2.3.
Published: 2025-09-26
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of input during web page generation provides a Stored XSS flaw in the WPFront User Role Editor plugin. An attacker can inject malicious scripts that execute in the context of users who view affected pages, allowing session hijacking, defacement, or credential theft. The vulnerability can compromise the confidentiality, integrity, and availability of the affected WordPress site.

Affected Systems

The vulnerability affects the WordPress WPFront User Role Editor plugin developed by Syam Mohan. All releases from the initial build through version 4.2.3 are susceptible.

Risk and Exploitability

With a CVSS score of 6.5, the flaw represents a moderate risk. The EPSS score of less than 1% indicates a low probability of exploitation, and the vulnerability is not listed in CISA KEV. Attackers are likely to exploit the stored data inputs required by the plugin, and the attack vector is inferred to be local or from an authenticated user with permissions to alter role settings.

Generated by OpenCVE AI on April 30, 2026 at 00:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WPFront User Role Editor plugin to the latest release that resolves the XSS issue.
  • If an upgrade is not immediately feasible, temporarily deactivate or remove the plugin to eliminate the injection vector.
  • Implement a content security policy that restricts execution of inline scripts, providing a mitigating layer against potential XSS attacks.

Generated by OpenCVE AI on April 30, 2026 at 00:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-31298 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Syam Mohan WPFront User Role Editor allows Stored XSS. This issue affects WPFront User Role Editor: from n/a through 4.2.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Syam Mohan WPFront User Role Editor allows Stored XSS. This issue affects WPFront User Role Editor: from n/a through 4.2.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Syam Mohan WPFront User Role Editor wpfront-user-role-editor allows Stored XSS.This issue affects WPFront User Role Editor: from n/a through <= 4.2.3.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Mon, 29 Sep 2025 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpfront
Wpfront wpfront User Role Editor
Vendors & Products Wordpress
Wordpress wordpress
Wpfront
Wpfront wpfront User Role Editor

Fri, 26 Sep 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Sep 2025 08:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Syam Mohan WPFront User Role Editor allows Stored XSS. This issue affects WPFront User Role Editor: from n/a through 4.2.3.
Title WordPress WPFront User Role Editor Plugin <= 4.2.3 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
Wpfront Wpfront User Role Editor
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:54.821Z

Reserved: 2025-09-25T15:20:16.564Z

Link: CVE-2025-60102

cve-icon Vulnrichment

Updated: 2025-09-26T13:43:24.386Z

cve-icon NVD

Status : Deferred

Published: 2025-09-26T09:15:35.783

Modified: 2026-04-23T15:34:13.373

Link: CVE-2025-60102

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T00:15:23Z

Weaknesses