The User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Display Name' parameter in all versions up to, and including, 3.1.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This vulnerability requires social engineering to successfully exploit, and the impact would be very limited due to the attacker requiring a user to login as the user with the injected payload for execution.
References
Configurations
Configuration 1 (hide)
|
History
23 Apr 2025, 17:25
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:wpeverest:user_registration_\&_membership:*:*:*:*:free:wordpress:*:* | |
| First Time |
Wpeverest
Wpeverest user Registration \& Membership |
21 Jan 2025, 16:55
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Wpuserregistration
Wpuserregistration user Registration \& Membership |
|
| CPE | cpe:2.3:a:wpuserregistration:user_registration_\&_membership:*:*:*:*:*:wordpress:*:* | |
| CWE | CWE-79 | |
| References | () https://plugins.trac.wordpress.org/browser/user-registration/trunk/includes/class-ur-shortcodes.php#L288 - Product | |
| References | () https://plugins.trac.wordpress.org/changeset/3045419/user-registration/trunk/includes/class-ur-shortcodes.php - Patch | |
| References | () https://www.wordfence.com/threat-intel/vulnerabilities/id/62b809dc-4089-4822-8aeb-7049fcfe376e?source=cve - Third Party Advisory |
Information
Published : 2024-03-07 06:15
Updated : 2025-04-23 17:25
NVD link : CVE-2024-1720
Mitre link : CVE-2024-1720
CVE.ORG link : CVE-2024-1720
JSON object : View
Products Affected
wpeverest
- user_registration_\&_membership
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')