CVE-2025-60102: 
WordPress vulnerability analysis and mitigation

A stored Cross-Site Scripting (XSS) vulnerability was discovered in WPFront User Role Editor WordPress plugin versions through 4.2.3. The vulnerability was reported on July 25, 2025, and publicly disclosed on September 26, 2025. The security issue affects the WPFront User Role Editor plugin developed by Syam Mohan, which is used for managing user roles in WordPress installations (Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) issue. It received a CVSS v3.1 score of 6.5 (Medium), with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The vulnerability requires Contributor or higher privilege level for exploitation (NVD, Patchstack).

If exploited, this vulnerability could allow a malicious actor to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when visitors access the affected site (Patchstack).

The vulnerability has been patched in version 4.2.4 of the WPFront User Role Editor plugin. Users are advised to update to version 4.2.4 or later to remediate the security issue. No specific workarounds have been provided for users who cannot immediately update (Patchstack).