Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpeverest User Registration user-registration allows Reflected XSS.This issue affects User Registration: from n/a through <= 5.1.5.
Published: 2026-04-29
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper neutralization of input during web page generation, allowing malicious user-controlled data to be reflected and executed by a victim’s browser. An attacker can inject script into the registration page, leading to theft of session cookies, credentials, and other sensitive information, or to perform unauthorized actions on behalf of the user. The issue is a classic reflected XSS flaw documented as CWE‑79.

Affected Systems

WordPress User Registration plugin versions up through 5.1.5 are impacted. The plugin is distributed by wpeverest under the "User Registration" name; no additional products or platforms are listed as affected.

Risk and Exploitability

With a CVSS score of 7.1 the vulnerability is considered high severity, but it is not currently listed in the CISA KEV catalog and the EPSS score is unavailable. The attack requires a victim to visit or interact with the registration page, after which the attacker’s injected payload is executed in the victim’s browser. No advanced preconditions are identified beyond normal user access to the affected site.

Generated by OpenCVE AI on April 29, 2026 at 12:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the User Registration plugin to version 5.1.6 or later.
  • Sanitize and validate all user‑supplied data on registration fields before rendering it back to the page.
  • Deploy a web application firewall or enforce a strict Content‑Security‑Policy to block injected scripts.

Generated by OpenCVE AI on April 29, 2026 at 12:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 29 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpeverest
Wpeverest user Registration
Vendors & Products Wordpress
Wordpress wordpress
Wpeverest
Wpeverest user Registration

Wed, 29 Apr 2026 11:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpeverest User Registration user-registration allows Reflected XSS.This issue affects User Registration: from n/a through <= 5.1.5.
Title WordPress User Registration plugin <= 5.1.5 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
Wpeverest User Registration
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T13:49:06.168Z

Reserved: 2026-04-29T09:04:43.153Z

Link: CVE-2026-42652

cve-icon Vulnrichment

Updated: 2026-04-29T13:48:37.092Z

cve-icon NVD

Status : Deferred

Published: 2026-04-29T12:16:20.207

Modified: 2026-04-29T21:15:41.667

Link: CVE-2026-42652

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T13:00:06Z

Weaknesses