CVE-2025-2836: 
WordPress vulnerability analysis and mitigation

The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'payment_method' parameter in versions up to and including 6.0.4.3. This vulnerability exists due to insufficient input sanitization and output escaping. The issue was discovered and disclosed on April 4, 2025 (NVD).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to inject arbitrary web scripts into pages. These injected scripts will execute whenever a user accesses the affected page. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.4 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability allows attackers to inject malicious scripts that execute in users' browsers when they visit affected pages. This can lead to theft of sensitive information, session hijacking, or other client-side attacks against users who view the compromised pages (NVD).

The vulnerability was addressed in version 6.0.4.4 of the plugin, released on April 1, 2025. Users are advised to update to this version or later to protect against this vulnerability (WordPress Changeset).