CVE-2025-24686: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in Metagauss User Registration Forms RegistrationMagic affecting versions through 6.0.3.3. The vulnerability was disclosed on January 28, 2025, and was assigned CVE-2025-24686. The issue was discovered by security researcher 0xd4rk5id3 (Patchstack).

The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) by NIST NVD with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, while Patchstack assigned a slightly higher score of 7.1 (High) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (NVD).

This vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website which will be executed when guests visit the site. The attack requires user interaction and can potentially lead to compromise of sensitive browser-based data (Patchstack).

Users are advised to update to RegistrationMagic version 6.0.3.4 or later which contains fixes for this vulnerability. Patchstack has also issued a virtual patch to mitigate this issue by blocking any attacks until users can update to a fixed version (Patchstack).