CVE-2021-38325: 
WordPress vulnerability analysis and mitigation

The User Activation Email WordPress plugin (versions up to and including 1.3.0) was identified with a Reflected Cross-Site Scripting vulnerability (CVE-2021-38325). The vulnerability was discovered and disclosed on September 8, 2021, affecting the plugin's handling of the uae-key parameter in the user-activation-email.php file (WPScan, NVD).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and received a CVSS v3.1 Base Score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The issue stems from improper input validation in the uae-key parameter within the user-activation-email.php file, which allows for the injection of arbitrary web scripts (NVD).

When exploited, this vulnerability allows attackers to inject arbitrary web scripts into the affected WordPress sites. The CVSS scoring indicates low impacts on both confidentiality and integrity, with no impact on availability. User interaction is required for successful exploitation (NVD).

No known fix has been identified for this vulnerability as of the last update. Users of the User Activation Email WordPress plugin version 1.3.0 or earlier should consider removing or disabling the plugin until a security patch is available (WPScan).