CVE-2025-6831: 
WordPress vulnerability analysis and mitigation

The User Registration plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-6831) discovered on July 21, 2025. The vulnerability affects all versions up to and including 4.2.4, specifically in the plugin's urcr_restrict shortcode functionality. This security issue was addressed in version 4.3.0 released on July 17, 2025 (NVD, AttackerKB).

The vulnerability stems from insufficient input sanitization and output escaping on user-supplied attributes in the urcr_restrict shortcode. The issue has been assigned a CVSS v3.1 base score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. This indicates the vulnerability requires low attack complexity, can be exploited remotely, requires low privileges, and affects confidentiality and integrity with low impact (NVD).

When exploited, this vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to unauthorized data access or manipulation of user sessions (NVD).

Users should immediately upgrade to version 4.3.0 or later of the User Registration plugin, which contains the security fix for this vulnerability. The update was released on July 17, 2025, and includes additional feature enhancements along with the security patch (WordPress Plugin).