CVE-2025-12160 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Simple User Registration plugin for WordPress, developed by nmedia. The vulnerability exists due to improper neutralization of input during web page generation, specifically involving the 'wpr_admin_msg' parameter. This parameter is insufficiently sanitized and escaped before being rendered in web pages, allowing attackers to inject arbitrary JavaScript code. Because the vulnerability is stored, the malicious script persists on the server and executes whenever any user accesses the affected page, potentially compromising multiple users. The vulnerability affects all versions of the plugin up to and including version 6.6. The CVSS v3.1 score is 7.2 (high severity), reflecting that the attack vector is network-based (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and has a scope change (S:C), with low confidentiality and integrity impacts (C:L/I:L) but no availability impact (A:N). This means an unauthenticated remote attacker can exploit the vulnerability remotely without user interaction, potentially stealing sensitive information such as session cookies or performing unauthorized actions on behalf of users. No patches or fixes have been linked yet, and no known exploits are reported in the wild. The vulnerability was reserved on October 24, 2025, and published on November 21, 2025. The CWE classification is CWE-79, which corresponds to improper neutralization of input leading to XSS. Given the widespread use of WordPress and the popularity of user registration plugins, this vulnerability poses a significant risk to websites using this plugin for user management.

The impact of CVE-2025-12160 is significant for organizations using the Simple User Registration plugin on WordPress sites. Exploitation allows attackers to execute arbitrary JavaScript in the context of the affected website, potentially leading to theft of session cookies, user credentials, or other sensitive information. Attackers can also perform actions on behalf of authenticated users, such as changing account details or escalating privileges if combined with other vulnerabilities. Since the vulnerability is stored, the malicious payload can affect multiple users over time, increasing the attack surface. The lack of authentication and user interaction requirements makes exploitation easier and more likely. For organizations, this can lead to data breaches, reputational damage, and compliance violations. Additionally, attackers could use the vulnerability as a foothold for further attacks within the network or to distribute malware. Given WordPress's extensive use worldwide, the vulnerability could affect a large number of websites, including e-commerce, corporate, and governmental sites, amplifying the potential damage.

To mitigate CVE-2025-12160, organizations should: 1) Immediately audit their WordPress installations to identify if the Simple User Registration plugin is installed and determine the version in use. 2) Monitor the vendor's official channels for patches or updates addressing this vulnerability and apply them promptly once available. 3) In the absence of an official patch, consider temporarily disabling or uninstalling the plugin to eliminate the attack vector. 4) Implement Web Application Firewalls (WAFs) with rules specifically designed to detect and block XSS payloads targeting the 'wpr_admin_msg' parameter or similar vectors. 5) Conduct input validation and output encoding on all user-supplied data within custom code or themes to reduce XSS risks. 6) Educate site administrators and users about the risks of XSS and encourage the use of security best practices such as least privilege and strong authentication. 7) Regularly scan websites for malicious scripts or anomalies that could indicate exploitation attempts. 8) Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. These targeted actions go beyond generic advice and focus on immediate risk reduction and long-term prevention.