Introduction
Persistent JavaScript injection can compromise user accounts, steal credentials, and enable attackers to maintain long-term access to WordPress sites. The Simple User Registration plugin for WordPress, used to manage user signups and membership workflows, was found to contain a high-severity stored cross-site scripting flaw that could be exploited by unauthenticated users. This brief summary covers the technical root cause, affected versions, and patch information for CVE-2025-12160.
The Simple User Registration plugin is a user management extension for WordPress, with around 300 active installations as of mid 2025. While not among the largest plugins in the ecosystem, it is relied upon by membership and community sites for handling user onboarding and profile management.
Technical Information
CVE-2025-12160 is a stored cross-site scripting vulnerability in the Simple User Registration plugin for WordPress. The flaw is present in all versions up to and including 6.6. The vulnerability exists in the handling of the wpr_admin_msg parameter, which is used by the plugin's admin messaging functionality. Due to insufficient input sanitization and lack of output escaping, an attacker can submit a crafted payload containing JavaScript code via this parameter. The payload is stored in the WordPress database and rendered as executable code whenever a user accesses a page displaying the injected message.
The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). Attackers do not need to be authenticated to exploit this issue. When a malicious script is injected, it will execute in the context of any user (including administrators) viewing the affected page. This can lead to session hijacking, privilege escalation, or further compromise of the site. The root cause is the absence of proper input validation and output escaping in the processing of the wpr_admin_msg parameter.
The issue is fully remediated in version 6.7, which implements input sanitization, output escaping, and restricts unauthenticated access to the admin messaging functionality.
Affected Systems and Versions
The following versions of the Simple User Registration plugin for WordPress are affected:
- All versions up to and including 6.6
Sites running these versions are vulnerable if the plugin is active and the admin messaging feature is exposed.
Vendor Security History
The Simple User Registration plugin has received several security updates in recent versions, including fixes for CSRF and XSS vulnerabilities. The vendor released version 6.7 promptly after disclosure of CVE-2025-12160, addressing the root cause by improving input handling and access controls. Previous changelogs indicate a pattern of reactive security improvements following public reports of vulnerabilities.
