CVE-2025-12160
📋 TL;DR
The Simple User Registration plugin for WordPress has a stored cross-site scripting vulnerability in the 'wpr_admin_msg' parameter. Unauthenticated attackers can inject malicious scripts that execute when users view affected pages. All WordPress sites using this plugin up to version 6.6 are vulnerable.
💻 Affected Systems
- Simple User Registration WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, deface websites, redirect users to malicious sites, or install backdoors for persistent access.
Likely Case
Attackers inject malicious scripts to steal user session cookies, redirect users to phishing sites, or display unwanted content.
If Mitigated
With proper web application firewalls and content security policies, script execution could be blocked, limiting impact to script injection without execution.
🎯 Exploit Status
The vulnerability is simple to exploit with basic web knowledge. Public proof-of-concept code is available in the WordPress plugin repository changeset.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 6.6
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Simple User Registration plugin. 4. Click 'Update Now' if available. 5. If no update is available, deactivate and delete the plugin immediately.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily disable the Simple User Registration plugin until patched
wp plugin deactivate wp-registration
Implement Content Security Policy
allAdd CSP headers to block inline script execution
Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Add to nginx config: add_header Content-Security-Policy "default-src 'self'; script-src 'self'";
🧯 If You Can't Patch
- Disable the Simple User Registration plugin immediately
- Implement a web application firewall with XSS protection rules
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for Simple User Registration version 6.6 or earlierCheck Version:
wp plugin get wp-registration --field=versionVerify Fix Applied:
Verify plugin version is higher than 6.6 or plugin is completely removed📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to WordPress admin-ajax.php with wpr_admin_msg parameter containing script tags
- Multiple failed XSS attempts in web server logs
Network Indicators:
- Outbound connections to suspicious domains from WordPress site
- Unusual JavaScript payloads in HTTP requests
SIEM Query:
source="web_logs" AND ("wpr_admin_msg" AND ("<script" OR "javascript:" OR "onload=" OR "onerror="))